Vulnerability Description
Cross-site scripting (XSS) vulnerability in the manage_findResult component in the search feature in Zope ZMI in Plone before 4.3.12 and 5.x before 5.0.7 allows remote attackers to inject arbitrary web script or HTML via vectors involving double quotes, as demonstrated by the obj_ids:tokens parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-7140.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Plone | Plone | 2.5.5 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/96117
- https://plone.org/security/hotfix/20170117PatchRelease NotesVendor Advisory
- https://plone.org/security/hotfix/20170117/non-persistent-xss-in-zope2Vendor Advisory
- https://www.curesec.com/blog/article/blog/Plone-XSS-186.htmlPatchThird Party AdvisoryVDB Entry
- http://www.securityfocus.com/bid/96117
- https://plone.org/security/hotfix/20170117PatchRelease NotesVendor Advisory
- https://plone.org/security/hotfix/20170117/non-persistent-xss-in-zope2Vendor Advisory
- https://www.curesec.com/blog/article/blog/Plone-XSS-186.htmlPatchThird Party AdvisoryVDB Entry
FAQ
What is CVE-2016-7147?
CVE-2016-7147 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Cross-site scripting (XSS) vulnerability in the manage_findResult component in the search feature in Zope ZMI in Plone before 4.3.12 and 5.x before 5.0.7 allows remote attackers to inject arbitrary we...
How severe is CVE-2016-7147?
CVE-2016-7147 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-7147?
Check the references section above for vendor advisories and patch information. Affected products include: Plone Plone.