[Product Description] Plone is a free and open source content management system built on top of the Zope application server. Plone is positioned as an "Enterprise CMS" and is most commonly used for intranets and as part of the web presence of large organizations [Systems Affected] Product : Plone Version : All supported Plone versions (4.3.11 and any earlier 4.x version, 5.0.6 and any earlier 5.x version). Previous versions could be affected but have not been fully tested. [Vulnerabilities] 3 vulnerabilities were identified within this application: (1) Reflected XSS (CVE-2016-7136 / CVE-2016-7138 / CVE-2016-7139 / CVE-2016-7140) (2) Path Traversal (CVE-2016-7135) (3) Open Redirection (CVE-2016-7137) [Advisory Timeline] 18/07/2016 - Discovery and vendor notification 18/07/2016 - Vendor confirmed vulnerabilities and started working on the fixes 30/08/2016 - Patch published by vendor 12/10/2016 - Public disclosure [Patch Available] According to the vendor, apply the hotfix 20160830 https://plone.org/security/hotfix/20160830 [Description of Vulnerabilities] (1) Reflected XSS Several Reflected Cross-Site Scripting were found within the application. Except the first two instances, all the other instances are only accessible by the "admin" user [Vulnerable URLs and parameters] /Plone/login_form [next parameter] /Plone/@@confirm-action [original_url parameter] ***See note 1*** /Plone/@@filter-controlpanel [form.widgets.class_blacklist parameter] /Plone/@@filter-controlpanel [form.widgets.custom_tags parameter] /Plone/@@filter-controlpanel [form.widgets.nasty_tags parameter] /Plone/@@filter-controlpanel [form.widgets.stripped_attributes parameter] /Plone/@@filter-controlpanel [form.widgets.stripped_tags parameter] /Plone/@@tinymce-controlpanel [form.widgets.alignment_styles parameter] /Plone/@@tinymce-controlpanel [form.widgets.block_styles parameter] /Plone/@@tinymce-controlpanel [form.widgets.contains_objects parameter] /Plone/@@tinymce-controlpanel [form.widgets.content_css parameter] /Plone/@@tinymce-controlpanel [form.widgets.header_styles parameter] /Plone/@@tinymce-controlpanel [form.widgets.image_objects parameter] /Plone/@@tinymce-controlpanel [form.widgets.inline_styles parameter] /Plone/@@tinymce-controlpanel [form.widgets.libraries_atd_ignore_strings parameter] /Plone/@@tinymce-controlpanel [form.widgets.libraries_atd_show_types parameter] /Plone/@@tinymce-controlpanel [form.widgets.menubar parameter] /Plone/@@tinymce-controlpanel [form.widgets.table_styles parameter] /Plone/@@user-information [userid parameter] /Plone/@@navigation-controlpanel [form.widgets.parent_types_not_to_query parameter] [References] CVE-2016-7136 https://plone.org/security/hotfix/20160830/non-persistent-xss-in-plone-forms CVE-2016-7138 https://plone.org/security/hotfix/20160830/non-persistent-xss-in-plone-1 CVE-2016-7139 https://plone.org/security/hotfix/20160830/non-persistent-xss-in-plone CVE-2016-7140 https://plone.org/security/hotfix/20160830/non-persistent-xss-in-zope2 [Proof Of Concept] - /Plone/login_form?next=jaVascrIpt%3aalert(1)%2f%2f - /Plone/@@filter-controlpanel?form.widgets.class_blacklist= - /Plone/@@user-information?userid=admin [Notes] Note 1 - The javascript code is executed when the "Confirm" button is clicked (2) Path Traversal A Path traversal vulnerability was found within the application that allows to browse filesystem files using the permissions of the user who is running the service. The resource is only accessible by the "admin" user [Vulnerable URLs and parameters] /Plone/++theme++barceloneta/@@plone.resourceeditor.filemanager-actions [path parameter] [References] CVE-2016-7135 https://plone.org/security/hotfix/20160830/filesystem-information-leak [Proof Of Concept] - /Plone/++theme++barceloneta/@@plone.resourceeditor.filemanager-actions?&action=getFile&path=/../../../../../../../../../etc/passwd - /Plone/++theme++barceloneta/@@plone.resourceeditor.filemanager-actions?&action=getFile&path=/../../../../../../../../../var/www/html/zinstance/parts/instance/inituser (3) Open Redirection 3 Instances of an open redirection were found within the application, allowing any user to be redirected to an external website (such as a phishing website) and therefore steal the user's credentials [Vulnerable URLs and parameters] /Plone/%2b%2bgroupdashboard%2b%2bplone.dashboard1%2bgroup/%2b/portlets.Actions [referer parameter] /Plone/folder/%2b%2bcontextportlets%2b%2bplone.footerportlets/%2b/portlets.Actions [referer parameter] /Plone/login_form [came_from parameter] [References] CVE-2016-7137 https://plone.org/security/hotfix/20160830/open-redirection-in-plone [Proof Of Concept] - /Plone/login_form?came_from=\\www.google.com/a?/Plone/folder_contents&next=&ajax_load=&ajax_include_head=&target=&mail_password_url=&join_url=&form.submitted=1&js_enabled=0&cookies_enabled=&login_name=&pwd_empty=0&__ac_name=admin&__ac_password=&submit=Log+in S3ba @s3bap3 linkedin.com/in/s3bap3