diff --git a/Products/CMFPlone/URLTool.py b/Products/CMFPlone/URLTool.py
index 9cb669581e..bb0b9e8c0e 100644
--- a/Products/CMFPlone/URLTool.py
+++ b/Products/CMFPlone/URLTool.py
@@ -30,6 +30,9 @@ def isURLInPortal(self, url, context=None):
         """
         # sanitize url
         url = re.sub('^[\x00-\x20]+', '', url).strip()
+        if ('<script' in url or '%3Cscript' in url or 'javascript:' in url or
+                'javascript%3A' in url):
+            return False
 
         p_url = self()
 
diff --git a/Products/CMFPlone/patches/__init__.py b/Products/CMFPlone/patches/__init__.py
index 3499b597b8..4c80d4d4d1 100644
--- a/Products/CMFPlone/patches/__init__.py
+++ b/Products/CMFPlone/patches/__init__.py
@@ -24,3 +24,11 @@
 
 import sendmail
 sendmail.applyPatches()
+
+try:
+    # kupu may not be installed
+    import kupu
+except ImportError:
+    pass
+
+import addMember
\ No newline at end of file
diff --git a/Products/CMFPlone/patches/addMember.py b/Products/CMFPlone/patches/addMember.py
new file mode 100644
index 0000000000..232ef79adf
--- /dev/null
+++ b/Products/CMFPlone/patches/addMember.py
@@ -0,0 +1,8 @@
+try:
+    from Products.CMFPlone import patches  # noqa
+except ImportError:
+    pass
+
+from Products.CMFCore.RegistrationTool import RegistrationTool
+if hasattr(RegistrationTool.addMember.im_func, '__doc__'):
+    del RegistrationTool.addMember.im_func.__doc__
diff --git a/Products/CMFPlone/patches/kupu.py b/Products/CMFPlone/patches/kupu.py
new file mode 100644
index 0000000000..37f5f179f5
--- /dev/null
+++ b/Products/CMFPlone/patches/kupu.py
@@ -0,0 +1,22 @@
+#####################
+# Newly created sites
+
+from AccessControl.Permission import _registeredPermissions
+from AccessControl.Permission import ApplicationDefaultPermissions
+from AccessControl.Permission import pname
+from Products.kupu.plone import permissions
+
+
+mangled = pname(permissions.ManageLibraries)
+if hasattr(ApplicationDefaultPermissions, mangled):
+    delattr(ApplicationDefaultPermissions, mangled)
+
+
+if permissions.ManageLibraries in _registeredPermissions:
+    del _registeredPermissions[permissions.ManageLibraries]
+
+
+permissions.setDefaultRoles(
+    permissions.ManageLibraries,
+    ('Manager', 'Site Administrator',)
+    )
diff --git a/Products/CMFPlone/tests/testCSRFProtection.py b/Products/CMFPlone/tests/testCSRFProtection.py
index bdbba95b3d..39446c9c02 100644
--- a/Products/CMFPlone/tests/testCSRFProtection.py
+++ b/Products/CMFPlone/tests/testCSRFProtection.py
@@ -63,9 +63,18 @@ def test_PloneTool_renameObjectsByPaths(self):
         self.assertTrue(self.portal.get('foo', None))
 
     def test_RegistrationTool_addMember(self):
-        self.checkAuthenticator(
-            '/portal_registration/addMember',
-            'id=john&password=y0d4Wg')
+        # self.checkAuthenticator(
+        #    '/portal_registration/addMember',
+        #    'id=john&password=y0d4Wg')
+        # instead of authenticator, with latest patch, addMember should not
+        # be published
+        path = '/portal_registration/addMember'
+        path = '/' + self.portal.absolute_url(relative=True) + path
+        query = 'id=john&password=y0d4Wg'
+        data = StringIO(query)
+        response = self.publish(path=path, env={},
+                                request_method='POST', stdin=data)
+        self.assertEqual(response.getStatus(), 404)
 
     def test_RegistrationTool_editMember(self):
         self.checkAuthenticator(
diff --git a/Products/CMFPlone/tests/testURLTool.py b/Products/CMFPlone/tests/testURLTool.py
index 1fa0b144ac..e08cc68f74 100644
--- a/Products/CMFPlone/tests/testURLTool.py
+++ b/Products/CMFPlone/tests/testURLTool.py
@@ -96,3 +96,12 @@ def test_isURLInPortalExternal(self):
         self.assertFalse(iURLiP('http://external4/other'))
         self.assertFalse(iURLiP('http://external5'))
         self.assertFalse(iURLiP('http://external11'))
+
+    def test_script_tag_url_not_in_portal(self):
+        self.assertFalse(self.portal.portal_url.isURLInPortal('<script>alert("hi");</script>'))
+        self.assertFalse(
+            self.portal.portal_url.isURLInPortal('%3Cscript%3Ealert(%22hi%22)%3B%3C%2Fscript%3E'))
+
+    def test_inline_url_not_in_portal(self):
+        self.assertFalse(self.portal.portal_url.isURLInPortal('javascript%3Aalert(3)'))
+        self.assertFalse(self.portal.portal_url.isURLInPortal('javascript:alert(3)'))
diff --git a/docs/CHANGES.rst b/docs/CHANGES.rst
index fa6bf2c9b5..162e415db1 100644
--- a/docs/CHANGES.rst
+++ b/docs/CHANGES.rst
@@ -8,6 +8,9 @@ Changelog
 4.3.7 (unreleased)
 ------------------
 
+- Apply hotfixes from https://pypi.python.org/pypi/Products.PloneHotfix20150910
+  [vangheem]
+
 - Do not throw a 404 on site root RSS feeds
   [vangheem]