cbcvebase.
CVE-2013-4200
published 2014-01-21

CVE-2013-4200: The isURLInPortal method in the URLTool class in in_portal.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 treats URLs starting with…

PriorityP431medium5.8CVSS 2.0
AVNACMAuNCPIPAN
EXPLOIT
EPSS
2.36%
81.7th percentile
The isURLInPortal method in the URLTool class in in_portal.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 treats URLs starting with a space as a relative URL, which allows remote attackers to bypass the allow_external_login_sites filtering property, redirect users to arbitrary web sites, and conduct phishing attacks via a space before a URL in the "next" parameter to acl_users/credentials_cookie_auth/require_login.

Affected

49 ranges· showing 25
VendorProductVersion rangeFixed in
ploneplone
ploneplone
ploneplone
ploneplone
ploneplone
ploneplone
ploneplone
ploneplone
ploneplone
ploneplone
ploneplone
ploneplone
ploneplone
ploneplone
ploneplone
ploneplone
ploneplone
ploneplone
ploneplone
ploneplone
ploneplone
ploneplone
ploneplone
ploneplone
ploneplone
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.