{"url":"http://public2.vulnerablecode.io/api/packages/57288?format=json","purl":"pkg:pypi/plone@5.0.0","type":"pypi","namespace":"","name":"plone","version":"5.0.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.2.5","latest_non_vulnerable_version":"6.0.7","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35035?format=json","vulnerability_id":"VCID-17w2-gd3m-2qff","summary":"z3c.form in Plone CMS 5.x through 5.0.6 and 4.x through 4.3.11 allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted GET request.","references":[{"reference_url":"http://packetstormsecurity.com/files/139110/Plone-CMS-4.3.11-5.0.6-XSS-Traversal-Open-Redirection.html","reference_id":"","reference_type":"","scores":[],"url":"http://packetstormsecurity.com/files/139110/Plone-CMS-4.3.11-5.0.6-XSS-Traversal-Open-Redirection.html"},{"reference_url":"http://seclists.org/fulldisclosure/2016/Oct/80","reference_id":"","reference_type":"","scores":[],"url":"http://seclists.org/fulldisclosure/2016/Oct/80"},{"reference_url":"https://github.com/plone/Plone","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/plone/Plone"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2017-59.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2017-59.yaml"},{"reference_url":"https://plone.org/security/hotfix/20160830/non-persistent-xss-in-plone-forms","reference_id":"","reference_type":"","scores":[],"url":"https://plone.org/security/hotfix/20160830/non-persistent-xss-in-plone-forms"},{"reference_url":"https://web.archive.org/web/20210625091607/http://www.securityfocus.com/bid/92752","reference_id":"","reference_type":"","scores":[],"url":"https://web.archive.org/web/20210625091607/http://www.securityfocus.com/bid/92752"},{"reference_url":"https://web.archive.org/web/20210625092107/http://www.securityfocus.com/archive/1/539572/100/0/threaded","reference_id":"","reference_type":"","scores":[],"url":"https://web.archive.org/web/20210625092107/http://www.securityfocus.com/archive/1/539572/100/0/threaded"},{"reference_url":"http://www.openwall.com/lists/oss-security/2016/09/05/4","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2016/09/05/4"},{"reference_url":"http://www.openwall.com/lists/oss-security/2016/09/05/5","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2016/09/05/5"},{"reference_url":"http://www.securityfocus.com/archive/1/539572/100/0/threaded","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/archive/1/539572/100/0/threaded"},{"reference_url":"http://www.securityfocus.com/bid/92752","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/92752"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-7136","reference_id":"CVE-2016-7136","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-7136"},{"reference_url":"https://github.com/advisories/GHSA-22jm-p2vv-j2hc","reference_id":"GHSA-22jm-p2vv-j2hc","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-22jm-p2vv-j2hc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/9625?format=json","purl":"pkg:pypi/plone@5.0.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29gf-82fr-k3h8"},{"vulnerability":"VCID-5ry7-xy6b-5fag"},{"vulnerability":"VCID-69ps-uetw-y3gf"},{"vulnerability":"VCID-8rp3-p3qe-x7ej"},{"vulnerability":"VCID-8wkk-84ky-17ak"},{"vulnerability":"VCID-951j-w95x-83g8"},{"vulnerability":"VCID-9gu8-dgkr-sua3"},{"vulnerability":"VCID-ax8a-2g7j-6ya2"},{"vulnerability":"VCID-basq-jjsf-3fbd"},{"vulnerability":"VCID-bmwk-nutp-r3fs"},{"vulnerability":"VCID-d42u-s7za-a3ad"},{"vulnerability":"VCID-dg61-tw4u-dbcc"},{"vulnerability":"VCID-edq7-7ncc-mbfx"},{"vulnerability":"VCID-eu4z-htaq-c3d6"},{"vulnerability":"VCID-exan-4j3e-2qeh"},{"vulnerability":"VCID-fdpc-runu-ekah"},{"vulnerability":"VCID-j8fv-uhxw-jkcw"},{"vulnerability":"VCID-jvvz-bafs-t7gc"},{"vulnerability":"VCID-p71t-er3d-9fdn"},{"vulnerability":"VCID-pzke-4by2-w3hk"},{"vulnerability":"VCID-q7nt-b3s9-9kf6"},{"vulnerability":"VCID-r52t-hx1j-ufa1"},{"vulnerability":"VCID-x2xm-hpc2-uubq"},{"vulnerability":"VCID-z4jt-v88h-77er"},{"vulnerability":"VCID-zwnj-revc-vbd6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.0.7"}],"aliases":["CVE-2016-7136","GHSA-22jm-p2vv-j2hc","PYSEC-2017-59"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-17w2-gd3m-2qff"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35037?format=json","vulnerability_id":"VCID-5n6e-cha8-nyb8","summary":"Cross-site scripting (XSS) vulnerability in the URL checking infrastructure in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.","references":[{"reference_url":"http://packetstormsecurity.com/files/139110/Plone-CMS-4.3.11-5.0.6-XSS-Traversal-Open-Redirection.html","reference_id":"","reference_type":"","scores":[],"url":"http://packetstormsecurity.com/files/139110/Plone-CMS-4.3.11-5.0.6-XSS-Traversal-Open-Redirection.html"},{"reference_url":"http://seclists.org/fulldisclosure/2016/Oct/80","reference_id":"","reference_type":"","scores":[],"url":"http://seclists.org/fulldisclosure/2016/Oct/80"},{"reference_url":"https://github.com/plone/Plone","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/plone/Plone"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2017-61.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2017-61.yaml"},{"reference_url":"https://plone.org/security/hotfix/20160830/non-persistent-xss-in-plone-1","reference_id":"","reference_type":"","scores":[],"url":"https://plone.org/security/hotfix/20160830/non-persistent-xss-in-plone-1"},{"reference_url":"https://web.archive.org/web/20210625091607/http://www.securityfocus.com/bid/92752","reference_id":"","reference_type":"","scores":[],"url":"https://web.archive.org/web/20210625091607/http://www.securityfocus.com/bid/92752"},{"reference_url":"https://web.archive.org/web/20210625092107/http://www.securityfocus.com/archive/1/539572/100/0/threaded","reference_id":"","reference_type":"","scores":[],"url":"https://web.archive.org/web/20210625092107/http://www.securityfocus.com/archive/1/539572/100/0/threaded"},{"reference_url":"http://www.openwall.com/lists/oss-security/2016/09/05/4","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2016/09/05/4"},{"reference_url":"http://www.openwall.com/lists/oss-security/2016/09/05/5","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2016/09/05/5"},{"reference_url":"http://www.securityfocus.com/archive/1/539572/100/0/threaded","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/archive/1/539572/100/0/threaded"},{"reference_url":"http://www.securityfocus.com/bid/92752","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/92752"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-7138","reference_id":"CVE-2016-7138","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-7138"},{"reference_url":"https://github.com/advisories/GHSA-v3hp-f8qr-cf3p","reference_id":"GHSA-v3hp-f8qr-cf3p","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-v3hp-f8qr-cf3p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/9625?format=json","purl":"pkg:pypi/plone@5.0.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29gf-82fr-k3h8"},{"vulnerability":"VCID-5ry7-xy6b-5fag"},{"vulnerability":"VCID-69ps-uetw-y3gf"},{"vulnerability":"VCID-8rp3-p3qe-x7ej"},{"vulnerability":"VCID-8wkk-84ky-17ak"},{"vulnerability":"VCID-951j-w95x-83g8"},{"vulnerability":"VCID-9gu8-dgkr-sua3"},{"vulnerability":"VCID-ax8a-2g7j-6ya2"},{"vulnerability":"VCID-basq-jjsf-3fbd"},{"vulnerability":"VCID-bmwk-nutp-r3fs"},{"vulnerability":"VCID-d42u-s7za-a3ad"},{"vulnerability":"VCID-dg61-tw4u-dbcc"},{"vulnerability":"VCID-edq7-7ncc-mbfx"},{"vulnerability":"VCID-eu4z-htaq-c3d6"},{"vulnerability":"VCID-exan-4j3e-2qeh"},{"vulnerability":"VCID-fdpc-runu-ekah"},{"vulnerability":"VCID-j8fv-uhxw-jkcw"},{"vulnerability":"VCID-jvvz-bafs-t7gc"},{"vulnerability":"VCID-p71t-er3d-9fdn"},{"vulnerability":"VCID-pzke-4by2-w3hk"},{"vulnerability":"VCID-q7nt-b3s9-9kf6"},{"vulnerability":"VCID-r52t-hx1j-ufa1"},{"vulnerability":"VCID-x2xm-hpc2-uubq"},{"vulnerability":"VCID-z4jt-v88h-77er"},{"vulnerability":"VCID-zwnj-revc-vbd6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.0.7"}],"aliases":["CVE-2016-7138","GHSA-v3hp-f8qr-cf3p","PYSEC-2017-61"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5n6e-cha8-nyb8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35164?format=json","vulnerability_id":"VCID-edq7-7ncc-mbfx","summary":"By linking to a specific url in Plone 2.5-5.1rc1 with a parameter, an attacker could send you to his own website. On its own this is not so bad: the attacker could more easily link directly to his own website instead. But in combination with another attack, you could be sent to the Plone login form and login, then get redirected to the specific url, and then get a second redirect to the attacker website. (The specific url can be seen by inspecting the hotfix code, but we don't want to make it too easy for attackers by spelling it out here.)","references":[{"reference_url":"https://github.com/advisories/GHSA-xvwv-6wvx-px9x","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-xvwv-6wvx-px9x"},{"reference_url":"https://github.com/plone/Plone","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/plone/Plone"},{"reference_url":"https://github.com/plone/Products.CMFPlone/issues/2232","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/plone/Products.CMFPlone/issues/2232"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2018-73.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2018-73.yaml"},{"reference_url":"https://plone.org/security/hotfix/20171128/an-open-redirection-when-calling-a-specific-url","reference_id":"","reference_type":"","scores":[],"url":"https://plone.org/security/hotfix/20171128/an-open-redirection-when-calling-a-specific-url"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-1000484","reference_id":"CVE-2017-1000484","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-1000484"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/10591?format=json","purl":"pkg:pypi/plone@5.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29gf-82fr-k3h8"},{"vulnerability":"VCID-8rp3-p3qe-x7ej"},{"vulnerability":"VCID-8wkk-84ky-17ak"},{"vulnerability":"VCID-951j-w95x-83g8"},{"vulnerability":"VCID-9gu8-dgkr-sua3"},{"vulnerability":"VCID-ax8a-2g7j-6ya2"},{"vulnerability":"VCID-basq-jjsf-3fbd"},{"vulnerability":"VCID-bmwk-nutp-r3fs"},{"vulnerability":"VCID-d42u-s7za-a3ad"},{"vulnerability":"VCID-eu4z-htaq-c3d6"},{"vulnerability":"VCID-exan-4j3e-2qeh"},{"vulnerability":"VCID-fdpc-runu-ekah"},{"vulnerability":"VCID-j8fv-uhxw-jkcw"},{"vulnerability":"VCID-p71t-er3d-9fdn"},{"vulnerability":"VCID-q7nt-b3s9-9kf6"},{"vulnerability":"VCID-r52t-hx1j-ufa1"},{"vulnerability":"VCID-x2xm-hpc2-uubq"},{"vulnerability":"VCID-z4jt-v88h-77er"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.1.0"}],"aliases":["CVE-2017-1000484","GHSA-xvwv-6wvx-px9x","PYSEC-2018-73"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-edq7-7ncc-mbfx"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/plone@5.0.0"}