CVE-2016-7147 – plone

Package

Manager: pip
Name: plone
Vulnerable Version: >=4.0 <4.3.12 || >=5.0 <5.0.7

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00299 pctl0.5272

Details

Plone XSS in Zope ZMI Cross-site scripting (XSS) vulnerability in the manage_findResult component in the search feature in Zope ZMI in Plone before 4.3.12 and 5.x before 5.0.7 allows remote attackers to inject arbitrary web script or HTML via vectors involving double quotes, as demonstrated by the `obj_ids:tokens` parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-7140.

Metadata

Created: 2022-05-17T03:00:45Z
Modified: 2024-10-18T15:47:22Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-84jm-cpc5-c7g7/GHSA-84jm-cpc5-c7g7.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-84jm-cpc5-c7g7
Finding: F008
Auto approve: 1