6.1

CVSS Score

3.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2015-7316

CVE-2015-7316: Plone Cross-site Scripting Vulnerability

Plone's URL checking infrastructure includes a method for checking if URLs valid and located in the Plone site. By passing HTML into a specially crafted url containing <script, %3Cscript, javascript:, or javascript%3A, Cross-site Scripting can be achieved.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2015-7316

CVE-2015-7316:

6.1

CVSS Score

3.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
plone	pip	= 5.0rc1
Plone	pip	>= 3.3, <= 3.3.6	3.3.7
Plone	pip	>= 4.0, <= 4.0.10	4.0.11
Plone	pip	>= 4.1, <= 4.1.6	4.1.7
Plone	pip	>= 4.2, <= 4.2.7	4.2.8
Plone	pip	>= 4.3, < 4.3.7	4.3.7

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The GitHub commit 3da710a shows the vulnerability was patched by adding explicit checks for XSS patterns in the isURLInPortal method of URLTool.py. The advisory descriptions explicitly mention this URL validation method as the attack vector, and the added test cases in testURLTool.py verify the XSS prevention logic was implemented in this function. The function's purpose (validating URLs within the Plone site) directly aligns with the vulnerability's attack vector described in CVE-2015-7316.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2015-7316: Plone Cross-site Scripting Vulnerability

CVE-2015-7316:

6.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2015-7316: Plone Cross-site Scripting Vulnerability

6.1

6.1

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI