URL Redirection to Untrusted Site ('Open Redirect') in Products.isurlinportal
CVE-2021-32806

6.5MEDIUM

Key Information:

Vendor

Plone

Status
Products.isurlinportal
Vendor
CVE Published:
2 August 2021

What is CVE-2021-32806?

Products.isurlinportal is a replacement for isURLInPortal method in Plone. Versions of Products.isurlinportal prior to 1.2.0 have an Open Redirect vulnerability. Various parts of Plone use the 'is url in portal' check for security, mostly to see if it is safe to redirect to a url. A url like https://example.org is not in the portal. The url https:example.org without slashes is considered to be in the portal. When redirecting, some browsers go to https://example.org, others give an error. Attackers may use this to redirect victims to their site, especially as part of a phishing attack. The problem has been patched in Products.isurlinportal 1.2.0.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Products.isurlinportal < 1.2.0

References

https://github.com/plone/Products.isurlinportal/security/...
x_refsource_CONFIRM
https://github.com/plone/Products.isurlinportal/commit/d4...
x_refsource_MISC
http://jvn.jp/en/jp/JVN50804280/index.html
third-party-advisoryx_refsource_JVN

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.