5.4

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2017-1000482

GHSA ID

GHSA-859j-668v-mrr6

EPSS Score

0.51866%

CWE

CWE-79

Published

5/14/2022

Updated

10/18/2024

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-1000482

CVE-2017-1000482: Products.CMFPlone XSS in profile home_page property

A member of the Plone site could set javascript in the home_page property of their profile, and have this executed when a visitor clicks the home page link on the author page.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2017-1000482

CVE-2017-1000482:

5.4

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2017-1000482

GHSA ID

GHSA-859j-668v-mrr6

EPSS Score

0.51866%

CWE

CWE-79

Published

5/14/2022

Updated

10/18/2024

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Products.CMFPlone	pip	< 4.3.17	4.3.17
Products.CMFPlone	pip	>= 5.0.0, < 5.0.10	5.0.10
Products.CMFPlone	pip	>= 5.1a1, < 5.1.0	5.1.0
Plone	pip	>= 2.5a1, < 4.3.16	4.3.16
Plone	pip	>= 5.0a1, < 5.1.0	5.1.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper URL validation in the isURLInPortal method. The commit 05a943ecbcdda56bacc93b55c9e2e908d8a7dfab shows critical changes to this function: introducing ALLOWED_SCHEMAS to restrict protocols, BAD_URL_PARTS to block XSS patterns, and HTML unescaping to prevent encoded payloads. These changes directly address the XSS vector described in CVE-2017-1000482, confirming this function's role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.4

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2017-1000482: Products.CMFPlone XSS in profile home_page property

CVE-2017-1000482:

5.4

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2017-1000482: Products.CMFPlone XSS in profile home_page property

5.4

5.4

Technical Details

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI