QID 981411
QID 981411: Python (pip) Security Update for Products.isurlinportal (GHSA-q3m9-9fj2-mfwr)
Security update has been released for Products.isurlinportal to fix the vulnerability.
Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
Various parts of Plone use the 'is url in portal' check for security, mostly to see if it is safe to redirect to a url. A url like `https://example.org` is not in the portal.
But the url `https:example.org` without slashes tricks our code and it _is_ considered to be in the portal.
When redirecting, some browsers go to `https://example.org`, others give an error.
Attackers may use this to redirect you to their site, especially as part of a phishing attack.
Solution
The problem has been patched in `Products.isurlinportal` 1.2.0.
This is a recommended upgrade for all users of Plone 4.3 and 5, on Python 2.7 or higher.
It has not been tested on earlier Plone or Python versions.
Upcoming Plone 5.2.5 and higher will include the new version.
This is a recommended upgrade for all users of Plone 4.3 and 5, on Python 2.7 or higher.
It has not been tested on earlier Plone or Python versions.
Upcoming Plone 5.2.5 and higher will include the new version.
Vendor References
- GHSA-q3m9-9fj2-mfwr -
github.com/advisories/GHSA-q3m9-9fj2-mfwr
CVEs related to QID 981411
Software Advisories
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| GHSA-q3m9-9fj2-mfwr | Products.isurlinportal |
github.com/advisories/GHSA-q3m9-9fj2-mfwr |