6.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-1000481

GHSA ID

GHSA-8g72-gq68-6gqh

EPSS Score

0.42124%

CWE

CWE-601

Published

5/14/2022

Updated

10/17/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-1000481

CVE-2017-1000481: Products.CMFPlone Open Redirect Vulnerability

When you visit a page where you need to login, Plone 2.5-5.1rc1 sends you to the login form with a 'came_from' parameter set to the previous url. After you login, you get redirected to the page you tried to view before. An attacker might try to abuse this by letting you click on a specially crafted link. You would login, and get redirected to the site of the attacker, letting you think that you are still on the original Plone site. Or some javascript of the attacker could be executed. Most of these types of attacks are already blocked by Plone, using the isURLInPortal check to make sure we only redirect to a page on the same Plone site. But a few more ways of tricking Plone into accepting a malicious link were discovered, and fixed with this hotfix.

(GitHub Advisory)

6.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-1000481

GHSA ID

GHSA-8g72-gq68-6gqh

EPSS Score

0.42124%

CWE

CWE-601

Published

5/14/2022

Updated

10/17/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Products.CMFPlone	pip	< 4.3.17	4.3.17
Products.CMFPlone	pip	>= 5.0.0, < 5.0.10	5.0.10
Products.CMFPlone	pip	>= 5.1a1, < 5.1.0	5.1.0
Plone	pip	>= 2.5, < 4.3.16	4.3.16
Plone	pip	>= 5, < 5.1.0	5.1.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insufficient validation in the isURLInPortal() function, which is responsible for ensuring redirects stay within the portal. The provided commit diffs (e.g., 05a943e) explicitly modify this function to add schema validation, HTML unescaping, and substring checks for malicious patterns. These fixes directly address the bypass techniques described in the vulnerability report, confirming this function was the weak point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W**n you visit * p*** w**r* you n*** to lo*in, Plon* *.*-*.*r** s*n*s you to t** lo*in *orm wit* * '**m*_*rom' p*r*m*t*r s*t to t** pr*vious url. **t*r you lo*in, you **t r**ir**t** to t** p*** you tri** to vi*w ***or*. *n *tt**k*r mi**t try to **us*

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt `v*li**tion` in t** `isURLInPort*l()` *un*tion, w*i** is r*sponsi*l* *or *nsurin* r**ir**ts st*y wit*in t** port*l. T** provi*** *ommit *i**s (*.*., *******) *xpli*itly mo*i*y t*is *un*tion to *** s***m* `v*l

6.1

Basic Information

Concerned about an active attack path?

CVE-2017-1000481: Products.CMFPlone Open Redirect Vulnerability

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI