Plone Open Redirection vulnerability via next parameter
Moderate severity
GitHub Reviewed
Published
May 14, 2022
to the GitHub Advisory Database
•
Updated Aug 16, 2023
Package
Affected versions
< 4.1.1
>= 4.2.0, < 4.2.6
>= 4.3.0, < 4.3.2
Patched versions
4.1.1
4.2.6
4.3.2
Description
Published by the National Vulnerability Database
Jan 21, 2014
Published to the GitHub Advisory Database
May 14, 2022
Reviewed
Feb 14, 2023
Last updated
Aug 16, 2023
The isURLInPortal method in the URLTool class in in_portal.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 treats URLs starting with a space as a relative URL, which allows remote attackers to bypass the allow_external_login_sites filtering property, redirect users to arbitrary web sites, and conduct phishing attacks via a space before a URL in the "next" parameter to acl_users/credentials_cookie_auth/require_login.
References