{"id":"CVE-2016-7135","details":"Directory traversal vulnerability in Plone CMS 5.x through 5.0.6 and 4.2.x through 4.3.11 allows remote administrators to read arbitrary files via a .. (dot dot) in the path parameter in a getFile action to Plone/++theme++barceloneta/@@plone.resourceeditor.filemanager-actions.","aliases":["GHSA-m7f9-65wr-pwch","PYSEC-2017-58"],"modified":"2026-04-10T03:53:05.117892Z","published":"2017-03-07T16:59:00.867Z","references":[{"type":"WEB","url":"http://www.securityfocus.com/archive/1/539572/100/0/threaded"},{"type":"WEB","url":"http://www.securityfocus.com/bid/92752"},{"type":"ADVISORY","url":"https://plone.org/security/hotfix/20160830/filesystem-information-leak"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2016/Oct/80"},{"type":"FIX","url":"http://www.openwall.com/lists/oss-security/2016/09/05/4"},{"type":"FIX","url":"http://www.openwall.com/lists/oss-security/2016/09/05/5"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/139110/Plone-CMS-4.3.11-5.0.6-XSS-Traversal-Open-Redirection.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/plone/plone","events":[{"introduced":"0"},{"last_affected":"2183c78b82e1d84deb661043b27356995251de41"},{"introduced":"0"},{"last_affected":"7d94a438dde3784322813a399d46c54cd5b864e5"},{"introduced":"0"},{"last_affected":"f3dd0b7fac24438482e4368280a534f868b75f97"},{"introduced":"0"},{"last_affected":"d8f0c3f23d11b3ecf37740b454c8698521eb9ef9"},{"introduced":"0"},{"last_affected":"4708ff915d63bf21a9434d328fcd0b656bc66d94"},{"introduced":"0"},{"last_affected":"bfad4ef994a9b471fbfb314256df6840f286a032"},{"introduced":"0"},{"last_affected":"2a627f292e8b06c376b5c7093189b78f778c96b6"},{"introduced":"0"},{"last_affected":"ccc8eff38984b0a25a5827aabfdb8ab5e798ce30"},{"introduced":"0"},{"last_affected":"3e0c78057de5798ed989d0b2ed9dd12ec39978e1"},{"introduced":"0"},{"last_affected":"8a6687397896c935b7f2c59b58500fdf234854bb"},{"introduced":"0"},{"last_affected":"b0a5c6ce2148edc9c2055961f64af788d1054fc4"},{"introduced":"0"},{"last_affected":"00a67de4ddd27cdec07ed6f4c834131b492e3f91"},{"introduced":"0"},{"last_affected":"16257e3b0027d6f811aceff565aca0879d85be7d"},{"introduced":"0"},{"last_affected":"cdf44d1d0bea8b8d48f896ad7821d37715142ccf"},{"introduced":"0"},{"last_affected":"ab50347a0aeb2c3d68b6f7faae6a82d0a0e91516"},{"introduced":"0"},{"last_affected":"c7ca35de26093e40ae01ad0778b960cfde71fb3d"},{"introduced":"0"},{"last_affected":"83b346aef1cd7a5ea851fe5c02af4b94648767c6"},{"introduced":"0"},{"last_affected":"829aa2dd9d8f088ebf8f3da49b9e32ba90326135"},{"introduced":"0"},{"last_affected":"217e9c10670623e7a06a7bdeca2f80dae73c77d0"},{"introduced":"0"},{"last_affected":"6ffff6a69083367d6d6720444aa067be4899780b"},{"introduced":"0"},{"last_affected":"c4244a4887e0901a1c17b3ee60e1cfbe19ee46c5"},{"introduced":"0"},{"last_affected":"006f2dc3068b6d935e30bbea8e4ba41f6acacf33"},{"introduced":"0"},{"last_affected":"5f05c642ef0796b15e447793755b1bbd8ce40905"},{"introduced":"0"},{"last_affected":"c3d7603485d808537e024883ce401ad504924a5a"},{"introduced":"0"},{"last_affected":"eb76237a4e6587a8249acfe0649c153d9d1df910"},{"introduced":"0"},{"last_affected":"006f2dc3068b6d935e30bbea8e4ba41f6acacf33"},{"introduced":"0"},{"last_affected":"5d3edca6781cf97ae971db366f847e01887995e2"},{"introduced":"0"},{"last_affected":"6371a276e3775cb11070862a0045b34aa1973b12"},{"introduced":"0"},{"last_affected":"d4d2a336b6ec125c60610a22a003502858ac51a5"},{"introduced":"0"},{"last_affected":"5fe576e77155d3a1946699472dc064c66e8facb5"},{"introduced":"0"},{"last_affected":"42964e94bc07a40a76496e9746fa10b57c21a2d7"},{"introduced":"0"},{"last_affected":"4d260f76643a633d312b81d568ca5bed57e330e0"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"4.2"},{"introduced":"0"},{"last_affected":"4.2.1"},{"introduced":"0"},{"last_affected":"4.2.2"},{"introduced":"0"},{"last_affected":"4.2.3"},{"introduced":"0"},{"last_affected":"4.2.4"},{"introduced":"0"},{"last_affected":"4.2.5"},{"introduced":"0"},{"last_affected":"4.2.6"},{"introduced":"0"},{"last_affected":"4.2.7"},{"introduced":"0"},{"last_affected":"4.3"},{"introduced":"0"},{"last_affected":"4.3.1"},{"introduced":"0"},{"last_affected":"4.3.2"},{"introduced":"0"},{"last_affected":"4.3.3"},{"introduced":"0"},{"last_affected":"4.3.4"},{"introduced":"0"},{"last_affected":"4.3.5"},{"introduced":"0"},{"last_affected":"4.3.6"},{"introduced":"0"},{"last_affected":"4.3.7"},{"introduced":"0"},{"last_affected":"4.3.8"},{"introduced":"0"},{"last_affected":"4.3.9"},{"introduced":"0"},{"last_affected":"4.3.10"},{"introduced":"0"},{"last_affected":"4.3.11"},{"introduced":"0"},{"last_affected":"5.0"},{"introduced":"0"},{"last_affected":"5.0-a1"},{"introduced":"0"},{"last_affected":"5.0-rc1"},{"introduced":"0"},{"last_affected":"5.0-rc2"},{"introduced":"0"},{"last_affected":"5.0-rc3"},{"introduced":"0"},{"last_affected":"5.0.1"},{"introduced":"0"},{"last_affected":"5.0.2"},{"introduced":"0"},{"last_affected":"5.0.3"},{"introduced":"0"},{"last_affected":"5.0.4"},{"introduced":"0"},{"last_affected":"5.0.5"},{"introduced":"0"},{"last_affected":"5.0.6"},{"introduced":"0"},{"last_affected":"5.1a1"}]}}],"versions":["4.1.0","4.1a1","4.1a2","4.1a3","4.1b1","4.1b2","4.1rc1","4.1rc2","4.1rc3","4.2","4.2.0","4.2.1","4.2.2","4.2.3","4.2.4","4.2.5","4.2.6","4.2.7","4.2a1","4.2a2","4.2b1","4.2b2","4.2rc1","4.2rc2","4.3","4.3.1","4.3.10","4.3.11","4.3.2","4.3.3","4.3.4","4.3.5","4.3.6","4.3.7","4.3.8","4.3.9","4.3a1","4.3a2","4.3b1","4.3b2","5.0","5.0.1","5.0.2","5.0.4","5.0.5","5.0.6","5.0a2","5.0a3","5.0b1","5.0b2","5.0b3","5.0b4","5.0rc1","5.0rc2","5.0rc3","5.1a1","5.1a2","5.1b1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-7135.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"}]}