CVE intelligence and bounded remediation

CVE-2017-1000481 — Plone Plone security vulnerability

Medium CVSS 6.1

When you visit a page where you need to login, Plone 2.5-5.1rc1 sends you to the login form with a 'came_from' parameter set to the previous url. After you login, you get redirected to the page you tried to view before. An attacker might try to abuse this by letting you click on a specially crafted link. You would login, and get redirected to the site of the attacker, letting you think that you are still on the original Plone site. Or some javascript of the attacker could be executed. Most of these types of attacks are already blocked by Plone, using the `isURLInPortal` check to make sure we only redirect to a page on the same Plone site. But a few more ways of tricking Plone into accepting a malicious link were discovered, and fixed with this hotfix.

Severity
Medium
CVSS
6.1 (3.0)
Published
2018-01-03
CISA KEV
Not currently listed
Ecosystem
javascript/npm
Weaknesses
CWE-601

Affected products

  • plone / plone / 2.5.5
  • plone / plone / 3.3
  • plone / plone / 3.3.1
  • plone / plone / 3.3.2
  • plone / plone / 3.3.3
  • plone / plone / 3.3.4

Showing 6 representative product identities from 67 source matches. Confirm exact affected versions with the linked vendor and NVD evidence.

Matched remediation archetype

General vulnerability remediation

This catalog composition supplies bounded fallback guidance. Explicitly reviewed curated workflows load with the complete record below.

Check exposure

  • Confirm the affected component, deployment paths, reachable interfaces, and enabled features from inventories and configuration, without probing production destructively.
  • Compare the advisory's affected conditions with the repository lockfiles, build manifests, artifacts, and runtime inventory.
  • Identify data sensitivity, trust boundaries, and privilege level for every confirmed affected deployment.

Remediate safely

  • Apply a vendor-supported fix or remove the affected component or feature; record the selected change and its source in the repository.
  • Update direct and transitive dependency locks, generated artifacts, deployment manifests, and asset inventories together.
  • Add a regression test for the documented unsafe condition using inert inputs and preserve rollback instructions.

Authoritative sources

Complete CVE record and remediation plan

The detailed catalog view below loads this exact record, its source evidence, and the full seven-phase agentic change plan.