CVE-2016-7138

Published on: 03/07/2017 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:27:06 PM UTC

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Certain versions of Plone from Plone contain the following vulnerability:

Cross-site scripting (XSS) vulnerability in the URL checking infrastructure in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

  • CVE-2016-7138 has been assigned by URL Logo [email protected] to track the vulnerability - currently rated as MEDIUM severity.

CVSS3 Score: 6.1 - MEDIUM

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW NONE REQUIRED
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
CHANGED LOW LOW NONE

CVSS2 Score: 4.3 - MEDIUM

Access
Vector
Access
Complexity
Authentication
NETWORK MEDIUM NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
NONE PARTIAL NONE

CVE References

Description Tags Link
Full Disclosure: Multiple Vulnerabilities in Plone CMS Third Party Advisory
VDB Entry
seclists.org
text/html
URL Logo FULLDISC 20161019 Multiple Vulnerabilities in Plone CMS
SecurityFocus www.securityfocus.com
text/html
URL Logo BUGTRAQ 20161012 Multiple Vulnerabilities in Plone CMS
oss-security - Re: CVE request: Plone multiple vulnerabilities Mailing List
Patch
Third Party Advisory
www.openwall.com
text/html
URL Logo MLIST [oss-security] 20160905 Re: CVE request: Plone multiple vulnerabilities
oss-security - Re: CVE request: Plone multiple vulnerabilities Mailing List
Patch
Third Party Advisory
www.openwall.com
text/html
URL Logo MLIST [oss-security] 20160905 Re: CVE request: Plone multiple vulnerabilities
Plone Multiple Security vulnerabilities cve.report (archive)
text/html
URL Logo BID 92752
Plone CMS 4.3.11 / 5.0.6 XSS / Traversal / Open Redirection ≈ Packet Storm Exploit
Third Party Advisory
VDB Entry
packetstormsecurity.com
text/html
URL Logo MISC packetstormsecurity.com/files/139110/Plone-CMS-4.3.11-5.0.6-XSS-Traversal-Open-Redirection.html
Non-Persistent XSS in Plone — Site Vendor Advisory
plone.org
text/html
URL Logo CONFIRM plone.org/security/hotfix/20160830/non-persistent-xss-in-plone-1

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationPlonePlone3.3AllAllAll
ApplicationPlonePlone3.3.1AllAllAll
ApplicationPlonePlone3.3.2AllAllAll
ApplicationPlonePlone3.3.3AllAllAll
ApplicationPlonePlone3.3.4AllAllAll
ApplicationPlonePlone3.3.5AllAllAll
ApplicationPlonePlone3.3.6AllAllAll
ApplicationPlonePlone4.0AllAllAll
ApplicationPlonePlone4.0.1AllAllAll
ApplicationPlonePlone4.0.10AllAllAll
ApplicationPlonePlone4.0.2AllAllAll
ApplicationPlonePlone4.0.3AllAllAll
ApplicationPlonePlone4.0.4AllAllAll
ApplicationPlonePlone4.0.5AllAllAll
ApplicationPlonePlone4.0.7AllAllAll
ApplicationPlonePlone4.0.8AllAllAll
ApplicationPlonePlone4.0.9AllAllAll
ApplicationPlonePlone4.1AllAllAll
ApplicationPlonePlone4.1.1AllAllAll
ApplicationPlonePlone4.1.2AllAllAll
ApplicationPlonePlone4.1.3AllAllAll
ApplicationPlonePlone4.1.4AllAllAll
ApplicationPlonePlone4.1.5AllAllAll
ApplicationPlonePlone4.1.6AllAllAll
ApplicationPlonePlone4.2AllAllAll
ApplicationPlonePlone4.2.1AllAllAll
ApplicationPlonePlone4.2.2AllAllAll
ApplicationPlonePlone4.2.3AllAllAll
ApplicationPlonePlone4.2.4AllAllAll
ApplicationPlonePlone4.2.5AllAllAll
ApplicationPlonePlone4.2.6AllAllAll
ApplicationPlonePlone4.2.7AllAllAll
ApplicationPlonePlone4.3AllAllAll
ApplicationPlonePlone4.3.1AllAllAll
ApplicationPlonePlone4.3.10AllAllAll
ApplicationPlonePlone4.3.11AllAllAll
ApplicationPlonePlone4.3.2AllAllAll
ApplicationPlonePlone4.3.3AllAllAll
ApplicationPlonePlone4.3.4AllAllAll
ApplicationPlonePlone4.3.5AllAllAll
ApplicationPlonePlone4.3.6AllAllAll
ApplicationPlonePlone4.3.7AllAllAll
ApplicationPlonePlone4.3.8AllAllAll
ApplicationPlonePlone4.3.9AllAllAll
ApplicationPlonePlone5.0AllAllAll
ApplicationPlonePlone5.0a1AllAll
ApplicationPlonePlone5.0rc1AllAll
ApplicationPlonePlone5.0rc2AllAll
ApplicationPlonePlone5.0rc3AllAll
ApplicationPlonePlone5.0.1AllAllAll
ApplicationPlonePlone5.0.2AllAllAll
ApplicationPlonePlone5.0.3AllAllAll
ApplicationPlonePlone5.0.4AllAllAll
ApplicationPlonePlone5.0.5AllAllAll
ApplicationPlonePlone5.0.6AllAllAll
ApplicationPlonePlone5.1a1AllAllAll
ApplicationPlonePlone3.3AllAllAll
ApplicationPlonePlone3.3.1AllAllAll
ApplicationPlonePlone3.3.2AllAllAll
ApplicationPlonePlone3.3.3AllAllAll
ApplicationPlonePlone3.3.4AllAllAll
ApplicationPlonePlone3.3.5AllAllAll
ApplicationPlonePlone3.3.6AllAllAll
ApplicationPlonePlone4.0AllAllAll
ApplicationPlonePlone4.0.1AllAllAll
ApplicationPlonePlone4.0.10AllAllAll
ApplicationPlonePlone4.0.2AllAllAll
ApplicationPlonePlone4.0.3AllAllAll
ApplicationPlonePlone4.0.4AllAllAll
ApplicationPlonePlone4.0.5AllAllAll
ApplicationPlonePlone4.0.7AllAllAll
ApplicationPlonePlone4.0.8AllAllAll
ApplicationPlonePlone4.0.9AllAllAll
ApplicationPlonePlone4.1AllAllAll
ApplicationPlonePlone4.1.1AllAllAll
ApplicationPlonePlone4.1.2AllAllAll
ApplicationPlonePlone4.1.3AllAllAll
ApplicationPlonePlone4.1.4AllAllAll
ApplicationPlonePlone4.1.5AllAllAll
ApplicationPlonePlone4.1.6AllAllAll
ApplicationPlonePlone4.2AllAllAll
ApplicationPlonePlone4.2.1AllAllAll
ApplicationPlonePlone4.2.2AllAllAll
ApplicationPlonePlone4.2.3AllAllAll
ApplicationPlonePlone4.2.4AllAllAll
ApplicationPlonePlone4.2.5AllAllAll
ApplicationPlonePlone4.2.6AllAllAll
ApplicationPlonePlone4.2.7AllAllAll
ApplicationPlonePlone4.3AllAllAll
ApplicationPlonePlone4.3.1AllAllAll
ApplicationPlonePlone4.3.10AllAllAll
ApplicationPlonePlone4.3.11AllAllAll
ApplicationPlonePlone4.3.2AllAllAll
ApplicationPlonePlone4.3.3AllAllAll
ApplicationPlonePlone4.3.4AllAllAll
ApplicationPlonePlone4.3.5AllAllAll
ApplicationPlonePlone4.3.6AllAllAll
ApplicationPlonePlone4.3.7AllAllAll
ApplicationPlonePlone4.3.8AllAllAll
ApplicationPlonePlone4.3.9AllAllAll
ApplicationPlonePlone5.0AllAllAll
ApplicationPlonePlone5.0a1AllAll
ApplicationPlonePlone5.0rc1AllAll
ApplicationPlonePlone5.0rc2AllAll
ApplicationPlonePlone5.0rc3AllAll
ApplicationPlonePlone5.0.1AllAllAll
ApplicationPlonePlone5.0.2AllAllAll
ApplicationPlonePlone5.0.3AllAllAll
ApplicationPlonePlone5.0.4AllAllAll
ApplicationPlonePlone5.0.5AllAllAll
ApplicationPlonePlone5.0.6AllAllAll
ApplicationPlonePlone5.1a1AllAllAll
  • cpe:2.3:a:plone:plone:3.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:3.3.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:3.3.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:3.3.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:3.3.4:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:3.3.5:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:3.3.6:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.0.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.0.10:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.0.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.0.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.0.4:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.0.5:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.0.7:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.0.8:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.0.9:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.1.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.1.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.1.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.1.4:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.1.5:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.1.6:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.2.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.2.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.2.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.2.4:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.2.5:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.2.6:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.2.7:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.3.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.3.10:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.3.11:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.3.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.3.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.3.4:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.3.5:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.3.6:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.3.7:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.3.8:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.3.9:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:5.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:5.0:a1:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:5.0:rc1:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:5.0:rc2:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:5.0:rc3:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:5.0.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:5.0.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:5.0.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:5.0.4:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:5.0.5:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:5.0.6:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:5.1a1:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:3.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:3.3.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:3.3.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:3.3.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:3.3.4:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:3.3.5:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:3.3.6:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.0.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.0.10:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.0.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.0.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.0.4:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.0.5:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.0.7:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.0.8:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.0.9:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.1.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.1.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.1.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.1.4:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.1.5:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.1.6:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.2.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.2.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.2.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.2.4:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.2.5:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.2.6:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.2.7:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.3.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.3.10:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.3.11:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.3.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.3.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.3.4:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.3.5:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.3.6:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.3.7:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.3.8:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:4.3.9:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:5.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:5.0:a1:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:5.0:rc1:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:5.0:rc2:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:5.0:rc3:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:5.0.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:5.0.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:5.0.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:5.0.4:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:5.0.5:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:5.0.6:*:*:*:*:*:*:*:
  • cpe:2.3:a:plone:plone:5.1a1:*:*:*:*:*:*:*: