[Product Description] Plone is a free and open source content management system built on top of the Zope application server. Plone is positioned as an "Enterprise CMS" and is most commonly used for intranets and as part of the web presence of large organizations [Systems Affected] Product : Plone Version : All supported Plone versions (4.3.11 and any earlier 4.x version, 5.0.6 and any earlier 5.x version). Previous versions could be affected but have not been fully tested. [Vulnerabilities] 3 vulnerabilities were identified within this application: (1) Reflected XSS (CVE-2016-7136 / CVE-2016-7138 / CVE-2016-7139 / CVE-2016-7140) (2) Path Traversal (CVE-2016-7135) (3) Open Redirection (CVE-2016-7137) [Advisory Timeline] 18/07/2016 - Discovery and vendor notification 18/07/2016 - Vendor confirmed vulnerabilities and started working on the fixes 30/08/2016 - Patch published by vendor 12/10/2016 - Public disclosure [Patch Available] According to the vendor, apply the hotfix 20160830 https://plone.org/security/hotfix/20160830 [Description of Vulnerabilities] (1) Reflected XSS Several Reflected Cross-Site Scripting were found within the application. Except the first two instances, all the other instances are only accessible by the "admin" user [Vulnerable URLs and parameters] <Plone Server>/Plone/login_form [next parameter] <Plone Server>/Plone/@@confirm-action [original_url parameter] ***See note 1*** <Plone Server>/Plone/@@filter-controlpanel [form.widgets.class_blacklist parameter] <Plone Server>/Plone/@@filter-controlpanel [form.widgets.custom_tags parameter] <Plone Server>/Plone/@@filter-controlpanel [form.widgets.nasty_tags parameter] <Plone Server>/Plone/@@filter-controlpanel [form.widgets.stripped_attributes parameter] <Plone Server>/Plone/@@filter-controlpanel [form.widgets.stripped_tags parameter] <Plone Server>/Plone/@@tinymce-controlpanel [form.widgets.alignment_styles parameter] <Plone Server>/Plone/@@tinymce-controlpanel [form.widgets.block_styles parameter] <Plone Server>/Plone/@@tinymce-controlpanel [form.widgets.contains_objects parameter] <Plone Server>/Plone/@@tinymce-controlpanel [form.widgets.content_css parameter] <Plone Server>/Plone/@@tinymce-controlpanel [form.widgets.header_styles parameter] <Plone Server>/Plone/@@tinymce-controlpanel [form.widgets.image_objects parameter] <Plone Server>/Plone/@@tinymce-controlpanel [form.widgets.inline_styles parameter] <Plone Server>/Plone/@@tinymce-controlpanel [form.widgets.libraries_atd_ignore_strings parameter] <Plone Server>/Plone/@@tinymce-controlpanel [form.widgets.libraries_atd_show_types parameter] <Plone Server>/Plone/@@tinymce-controlpanel [form.widgets.menubar parameter] <Plone Server>/Plone/@@tinymce-controlpanel [form.widgets.table_styles parameter] <Plone Server>/Plone/@@user-information [userid parameter] <Plone Server>/Plone/@@navigation-controlpanel [form.widgets.parent_types_not_to_query parameter] [References] CVE-2016-7136 https://plone.org/security/hotfix/20160830/non-persistent-xss-in-plone-forms CVE-2016-7138 https://plone.org/security/hotfix/20160830/non-persistent-xss-in-plone-1 CVE-2016-7139 https://plone.org/security/hotfix/20160830/non-persistent-xss-in-plone CVE-2016-7140 https://plone.org/security/hotfix/20160830/non-persistent-xss-in-zope2 [Proof Of Concept] - <Plone Server>/Plone/login_form?next=jaVascrIpt%3aalert(1)%2f%2f - <Plone Server>/Plone/@@filter-controlpanel?form.widgets.class_blacklist=</textarea><script>alert("form.widgets.class_blacklist")</script> - <Plone Server>/Plone/@@user-information?userid=admin<script>alert("userid")</script> [Notes] Note 1 - The javascript code is executed when the "Confirm" button is clicked (2) Path Traversal A Path traversal vulnerability was found within the application that allows to browse filesystem files using the permissions of the user who is running the service. The resource is only accessible by the "admin" user [Vulnerable URLs and parameters] <Plone Server>/Plone/++theme++barceloneta/@@plone.resourceeditor.filemanager-actions [path parameter] [References] CVE-2016-7135 https://plone.org/security/hotfix/20160830/filesystem-information-leak [Proof Of Concept] - <Plone Server>/Plone/++theme++barceloneta/@@plone.resourceeditor.filemanager-actions?&action=getFile&path=/../../../../../../../../../etc/passwd - <Plone Server>/Plone/++theme++barceloneta/@@plone.resourceeditor.filemanager-actions?&action=getFile&path=/../../../../../../../../../var/www/html/zinstance/parts/instance/inituser (3) Open Redirection 3 Instances of an open redirection were found within the application, allowing any user to be redirected to an external website (such as a phishing website) and therefore steal the user's credentials [Vulnerable URLs and parameters] <Plone Server>/Plone/%2b%2bgroupdashboard%2b%2bplone.dashboard1%2bgroup/%2b/portlets.Actions [referer parameter] <Plone Server>/Plone/folder/%2b%2bcontextportlets%2b%2bplone.footerportlets/%2b/portlets.Actions [referer parameter] <Plone Server>/Plone/login_form [came_from parameter] [References] CVE-2016-7137 https://plone.org/security/hotfix/20160830/open-redirection-in-plone [Proof Of Concept] - <Plone Server>/Plone/login_form?came_from=\\www.google.com/a?<Plone Server>/Plone/folder_contents&next=&ajax_load=&ajax_include_head=&target=&mail_password_url=&join_url=&form.submitted=1&js_enabled=0&cookies_enabled=&login_name=&pwd_empty=0&__ac_name=admin&__ac_password=&submit=Log+in S3ba @s3bap3 linkedin.com/in/s3bap3