{"id":"CVE-2016-7138","details":"Cross-site scripting (XSS) vulnerability in the URL checking infrastructure in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.","aliases":["GHSA-v3hp-f8qr-cf3p","PYSEC-2017-61"],"modified":"2026-07-08T05:48:20.278292891Z","published":"2017-03-07T16:59:01.057Z","database_specific":{"unresolved_ranges":[{"vendor_product":"plone:plone","source":"CPE_STRING","extracted_events":[{"introduced":"3.3"},{"last_affected":"3.3"}],"cpes":["cpe:2.3:a:plone:plone:3.3:*:*:*:*:*:*:*"]}]},"references":[{"type":"WEB","url":"http://www.securityfocus.com/archive/1/539572/100/0/threaded"},{"type":"WEB","url":"http://www.securityfocus.com/bid/92752"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2016/Oct/80"},{"type":"ADVISORY","url":"https://plone.org/security/hotfix/20160830/non-persistent-xss-in-plone-1"},{"type":"FIX","url":"http://www.openwall.com/lists/oss-security/2016/09/05/4"},{"type":"FIX","url":"http://www.openwall.com/lists/oss-security/2016/09/05/5"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/139110/Plone-CMS-4.3.11-5.0.6-XSS-Traversal-Open-Redirection.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/plone/plone","events":[{"introduced":"1ccb8d78a4ddb938981cbe5a855715f2454dcec8"},{"last_affected":"4d260f76643a633d312b81d568ca5bed57e330e0"}],"database_specific":{"cpe":["cpe:2.3:a:plone:plone:3.3:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:3.3.1:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:3.3.2:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:3.3.3:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:3.3.4:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:3.3.5:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:3.3.6:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.0:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.0.1:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.0.2:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.0.3:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.0.4:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.0.5:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.0.7:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.0.8:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.0.9:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.0.10:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.1:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.1.1:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.1.2:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.1.3:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.1.4:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.1.5:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.1.6:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.2:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.2.1:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.2.2:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.2.3:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.2.4:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.2.5:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.2.6:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.2.7:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.3:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.3.1:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.3.2:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.3.3:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.3.4:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.3.5:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.3.6:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.3.7:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.3.8:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.3.9:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.3.10:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.3.11:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.0:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.0:a1:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.0.1:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.0:rc1:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.0:rc2:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.0:rc3:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.0.2:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.0.3:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.0.4:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.0.5:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.0.6:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.1a1:*:*:*:*:*:*:*"],"source":"CPE_STRING","extracted_events":[{"introduced":"3.3"},{"last_affected":"3.3"},{"introduced":"3.3.1"},{"last_affected":"3.3.1"},{"introduced":"3.3.2"},{"last_affected":"3.3.2"},{"introduced":"3.3.3"},{"last_affected":"3.3.3"},{"introduced":"3.3.4"},{"last_affected":"3.3.4"},{"introduced":"3.3.5"},{"last_affected":"3.3.5"},{"introduced":"3.3.6"},{"last_affected":"3.3.6"},{"introduced":"4.0"},{"last_affected":"4.0"},{"introduced":"4.0.1"},{"last_affected":"4.0.1"},{"introduced":"4.0.2"},{"last_affected":"4.0.2"},{"introduced":"4.0.3"},{"last_affected":"4.0.3"},{"introduced":"4.0.4"},{"last_affected":"4.0.4"},{"introduced":"4.0.5"},{"last_affected":"4.0.5"},{"introduced":"4.0.7"},{"last_affected":"4.0.7"},{"introduced":"4.0.8"},{"last_affected":"4.0.8"},{"introduced":"4.0.9"},{"last_affected":"4.0.9"},{"introduced":"4.0.10"},{"last_affected":"4.0.10"},{"introduced":"4.1"},{"last_affected":"4.1"},{"introduced":"4.1.1"},{"last_affected":"4.1.1"},{"introduced":"4.1.2"},{"last_affected":"4.1.2"},{"introduced":"4.1.3"},{"last_affected":"4.1.3"},{"introduced":"4.1.4"},{"last_affected":"4.1.4"},{"introduced":"4.1.5"},{"last_affected":"4.1.5"},{"introduced":"4.1.6"},{"last_affected":"4.1.6"},{"introduced":"4.2"},{"last_affected":"4.2"},{"introduced":"4.2.1"},{"last_affected":"4.2.1"},{"introduced":"4.2.2"},{"last_affected":"4.2.2"},{"introduced":"4.2.3"},{"last_affected":"4.2.3"},{"introduced":"4.2.4"},{"last_affected":"4.2.4"},{"introduced":"4.2.5"},{"last_affected":"4.2.5"},{"introduced":"4.2.6"},{"last_affected":"4.2.6"},{"introduced":"4.2.7"},{"last_affected":"4.2.7"},{"introduced":"4.3"},{"last_affected":"4.3"},{"introduced":"4.3.1"},{"last_affected":"4.3.1"},{"introduced":"4.3.2"},{"last_affected":"4.3.2"},{"introduced":"4.3.3"},{"last_affected":"4.3.3"},{"introduced":"4.3.4"},{"last_affected":"4.3.4"},{"introduced":"4.3.5"},{"last_affected":"4.3.5"},{"introduced":"4.3.6"},{"last_affected":"4.3.6"},{"introduced":"4.3.7"},{"last_affected":"4.3.7"},{"introduced":"4.3.8"},{"last_affected":"4.3.8"},{"introduced":"4.3.9"},{"last_affected":"4.3.9"},{"introduced":"4.3.10"},{"last_affected":"4.3.10"},{"introduced":"4.3.11"},{"last_affected":"4.3.11"},{"introduced":"5.0"},{"last_affected":"5.0"},{"introduced":"5.0-a1"},{"last_affected":"5.0-a1"},{"introduced":"5.0.1"},{"last_affected":"5.0.1"},{"introduced":"5.0-rc1"},{"last_affected":"5.0-rc1"},{"introduced":"5.0-rc2"},{"last_affected":"5.0-rc2"},{"introduced":"5.0-rc3"},{"last_affected":"5.0-rc3"},{"introduced":"5.0.2"},{"last_affected":"5.0.2"},{"introduced":"5.0.3"},{"last_affected":"5.0.3"},{"introduced":"5.0.4"},{"last_affected":"5.0.4"},{"introduced":"5.0.5"},{"last_affected":"5.0.5"},{"introduced":"5.0.6"},{"last_affected":"5.0.6"},{"introduced":"5.1a1"},{"last_affected":"5.1a1"}]}}],"versions":["3.3","3.3.1","3.3.2","3.3.3","3.3.4","3.3.5","3.3.6","4.0","4.0.1","4.0.10","4.0.2","4.0.3","4.0.4","4.0.5","4.0.7","4.0.8","4.0.9","4.1","4.1.1","4.1.2","4.1.3","4.1.4","4.1.5","4.1.6","4.2","4.2.1","4.2.2","4.2.3","4.2.4","4.2.5","4.2.6","4.2.7","4.3","4.3.1","4.3.10","4.3.11","4.3.2","4.3.3","4.3.4","4.3.5","4.3.6","4.3.7","4.3.8","4.3.9","5.0","5.0-a1","5.0-rc1","5.0-rc2","5.0-rc3","5.0.2","5.0.3","5.0.4","5.0.5","5.0.6","5.1a1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-7138.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/plone/plone.namedfile","events":[{"introduced":"18c7758e464f45568ad89b81877d5c8fe8fa1fa4"},{"last_affected":"5d4997222da0a134f49b2f7f3ab993b683ab6210"}],"database_specific":{"source":"CPE_STRING","cpe":["cpe:2.3:a:plone:plone:4.0:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.1:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.1.1:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.1.2:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.2:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.2.1:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.2.2:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.2.3:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.2.4:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.2.5:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.2.6:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.2.7:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.3:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.0:a1:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.0.1:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.0.2:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.0.3:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.0.4:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.0.5:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"4.0"},{"last_affected":"4.0"},{"introduced":"4.1"},{"last_affected":"4.1"},{"introduced":"4.1.1"},{"last_affected":"4.1.1"},{"introduced":"4.1.2"},{"last_affected":"4.1.2"},{"introduced":"4.2"},{"last_affected":"4.2"},{"introduced":"4.2.1"},{"last_affected":"4.2.1"},{"introduced":"4.2.2"},{"last_affected":"4.2.2"},{"introduced":"4.2.3"},{"last_affected":"4.2.3"},{"introduced":"4.2.4"},{"last_affected":"4.2.4"},{"introduced":"4.2.5"},{"last_affected":"4.2.5"},{"introduced":"4.2.6"},{"last_affected":"4.2.6"},{"introduced":"4.2.7"},{"last_affected":"4.2.7"},{"introduced":"4.3"},{"last_affected":"4.3"},{"introduced":"5.0-a1"},{"last_affected":"5.0-a1"},{"introduced":"5.0.1"},{"last_affected":"5.0.1"},{"introduced":"5.0.2"},{"last_affected":"5.0.2"},{"introduced":"5.0.3"},{"last_affected":"5.0.3"},{"introduced":"5.0.4"},{"last_affected":"5.0.4"},{"introduced":"5.0.5"},{"last_affected":"5.0.5"}]}}],"versions":["4.0","4.1","4.1.1","4.1.2","4.2","4.2.1","4.2.2","4.2.3","4.2.4","4.2.5","4.2.6","4.2.7","4.3","5.0-a1","5.0.2","5.0.3","5.0.4","5.0.5","5.0.1","4.2.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-7138.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}