CVE-2017-1000481

Description

When you visit a page where you need to login, Plone 2.5-5.1rc1 sends you to the login form with a 'came_from' parameter set to the previous url. After you login, you get redirected to the page you tried to view before. An attacker might try to abuse this by letting you click on a specially crafted link. You would login, and get redirected to the site of the attacker, letting you think that you are still on the original Plone site. Or some javascript of the attacker could be executed. Most of these types of attacks are already blocked by Plone, using the `isURLInPortal` check to make sure we only redirect to a page on the same Plone site. But a few more ways of tricking Plone into accepting a malicious link were discovered, and fixed with this hotfix.

Category

6.1
CVSS
Severity: Medium
CVSS 3.0 •
CVSS 2.0 •
EPSS 0.20%
Vendor Advisory plone.org
Affected: n/a n/a
Published at:
Updated at:

References

Link Tags
https://plone.org/security/hotfix/20171128/open-redirection-on-login-form vendor advisory

Frequently Asked Questions

What is the severity of CVE-2017-1000481?
CVE-2017-1000481 has been scored as a medium severity vulnerability.
How to fix CVE-2017-1000481?
To fix CVE-2017-1000481, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2017-1000481 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2017-1000481 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.