{"url":"http://public2.vulnerablecode.io/api/packages/201800?format=json","purl":"pkg:pypi/products.cmfplone@4.2.4","type":"pypi","namespace":"","name":"products.cmfplone","version":"4.2.4","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.0.10","latest_non_vulnerable_version":"5.1.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42218?format=json","vulnerability_id":"VCID-brdm-3g1t-6fgv","summary":"Cross-site Scripting and Open Redirect in Products.CMFPlone\nPlone is vulnerable to reflected cross site scripting and open redirect when an attacker can get a compromised version of the image_view_fullscreen page in a cache, for example in Varnish.","references":[{"reference_url":"https://github.com/plone/Products.CMFPlone","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/plone/Products.CMFPlone"},{"reference_url":"https://github.com/advisories/GHSA-8w54-22w9-3g8f","reference_id":"GHSA-8w54-22w9-3g8f","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8w54-22w9-3g8f"},{"reference_url":"https://github.com/plone/Products.CMFPlone/security/advisories/GHSA-8w54-22w9-3g8f","reference_id":"GHSA-8w54-22w9-3g8f","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/plone/Products.CMFPlone/security/advisories/GHSA-8w54-22w9-3g8f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/203878?format=json","purl":"pkg:pypi/products.cmfplone@5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gd5v-ueah-j7eh"},{"vulnerability":"VCID-mu56-js96-3fdr"},{"vulnerability":"VCID-zg7t-g8m5-nbat"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/products.cmfplone@5.0"},{"url":"http://public2.vulnerablecode.io/api/packages/60322?format=json","purl":"pkg:pypi/products.cmfplone@5.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-69ps-uetw-y3gf"},{"vulnerability":"VCID-dg61-tw4u-dbcc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/products.cmfplone@5.0.0"}],"aliases":["GHSA-8w54-22w9-3g8f","GMS-2022-46"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-brdm-3g1t-6fgv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38094?format=json","vulnerability_id":"VCID-gd5v-ueah-j7eh","summary":"Privilege escalation in webdav\nA missing webdav security declaration would allow unauthorized webdav access.","references":[{"reference_url":"https://plone.org/products/plone/security/advisories/20160419-announcement","reference_id":"","reference_type":"","scores":[],"url":"https://plone.org/products/plone/security/advisories/20160419-announcement"},{"reference_url":"https://plone.org/security/20160419/privilege-escalation-in-webdav","reference_id":"","reference_type":"","scores":[],"url":"https://plone.org/security/20160419/privilege-escalation-in-webdav"}],"fixed_packages":[],"aliases":["GMS-2016-28"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gd5v-ueah-j7eh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35116?format=json","vulnerability_id":"VCID-h4kd-eh8g-gude","summary":"Cross-site scripting (XSS) vulnerability in Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, 4.2.0 through 4.2.7, 4.3.x before 4.3.7, and 5.0rc1.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-7316.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-7316.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-7316","reference_id":"","reference_type":"","scores":[{"value":"0.0051","scoring_system":"epss","scoring_elements":"0.66808","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0051","scoring_system":"epss","scoring_elements":"0.66767","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-7316"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1264788","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1264788"},{"reference_url":"https://github.com/plone/Plone","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/plone/Plone"},{"reference_url":"https://github.com/plone/Products.CMFPlone/commit/3da710a2cd68587f0bf34f2e7ea1167d6eeee087","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/plone/Products.CMFPlone/commit/3da710a2cd68587f0bf34f2e7ea1167d6eeee087"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2017-53.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2017-53.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-7316","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-7316"},{"reference_url":"https://plone.org/security/20150910/","reference_id":"","reference_type":"","scores":[],"url":"https://plone.org/security/20150910/"},{"reference_url":"https://plone.org/security/20150910/non-persistent-xss-in-plone","reference_id":"","reference_type":"","scores":[],"url":"https://plone.org/security/20150910/non-persistent-xss-in-plone"},{"reference_url":"https://plone.org/security/hotfix/20150910/non-persistent-xss-in-plone","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://plone.org/security/hotfix/20150910/non-persistent-xss-in-plone"},{"reference_url":"https://pypi.org/project/Products.PloneHotfix20150910","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pypi.org/project/Products.PloneHotfix20150910"},{"reference_url":"https://pypi.python.org/pypi/Products.PloneHotfix20150910","reference_id":"","reference_type":"","scores":[],"url":"https://pypi.python.org/pypi/Products.PloneHotfix20150910"},{"reference_url":"http://www.openwall.com/lists/oss-security/2015/09/22/14","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2015/09/22/14"},{"reference_url":"https://github.com/advisories/GHSA-vf8g-m3vq-6p4p","reference_id":"GHSA-vf8g-m3vq-6p4p","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-vf8g-m3vq-6p4p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54171?format=json","purl":"pkg:pypi/products.cmfplone@4.3.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-brdm-3g1t-6fgv"},{"vulnerability":"VCID-gd5v-ueah-j7eh"},{"vulnerability":"VCID-vyc7-kfh2-vbfy"},{"vulnerability":"VCID-zg7t-g8m5-nbat"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/products.cmfplone@4.3.7"},{"url":"http://public2.vulnerablecode.io/api/packages/54172?format=json","purl":"pkg:pypi/products.cmfplone@5.0rc2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-brdm-3g1t-6fgv"},{"vulnerability":"VCID-gd5v-ueah-j7eh"},{"vulnerability":"VCID-mu56-js96-3fdr"},{"vulnerability":"VCID-zg7t-g8m5-nbat"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/products.cmfplone@5.0rc2"}],"aliases":["CVE-2015-7316","GHSA-vf8g-m3vq-6p4p","PYSEC-2017-53"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-h4kd-eh8g-gude"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37926?format=json","vulnerability_id":"VCID-vyc7-kfh2-vbfy","summary":"Multiple CSRF vulnerabilities in Management Interface\nThere are multiple CSRF (cross-site request forgery) vulnerabilities in the ZMI (Zope Management Interface).","references":[{"reference_url":"https://plone.org/products/plone/security/advisories/security-vulnerability-20151006-csrf","reference_id":"CVE-2015-7293;OSVDB-128533;OSVDB-128532","reference_type":"exploit","scores":[],"url":"https://plone.org/products/plone/security/advisories/security-vulnerability-20151006-csrf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/201816?format=json","purl":"pkg:pypi/products.cmfplone@5.0a1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-brdm-3g1t-6fgv"},{"vulnerability":"VCID-gd5v-ueah-j7eh"},{"vulnerability":"VCID-h4kd-eh8g-gude"},{"vulnerability":"VCID-mu56-js96-3fdr"},{"vulnerability":"VCID-wuas-tkd4-rkd4"},{"vulnerability":"VCID-zg7t-g8m5-nbat"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/products.cmfplone@5.0a1"}],"aliases":["GMS-2015-35"],"risk_score":null,"exploitability":"1.0","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vyc7-kfh2-vbfy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38093?format=json","vulnerability_id":"VCID-zg7t-g8m5-nbat","summary":"Unauthorized disclosure of site content\nA vulnerability that allows attackers to gain information about private site content.","references":[{"reference_url":"https://plone.org/products/plone/security/advisories/20160419-announcement","reference_id":"","reference_type":"","scores":[],"url":"https://plone.org/products/plone/security/advisories/20160419-announcement"},{"reference_url":"https://plone.org/security/20160419/unauthorized-disclosure-of-site-content","reference_id":"","reference_type":"","scores":[],"url":"https://plone.org/security/20160419/unauthorized-disclosure-of-site-content"}],"fixed_packages":[],"aliases":["GMS-2016-27"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zg7t-g8m5-nbat"}],"fixing_vulnerabilities":[],"risk_score":"3.1","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/products.cmfplone@4.2.4"}