{"id":"CVE-2016-7139","details":"Cross-site scripting (XSS) vulnerability in an unspecified page template in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.","aliases":["GHSA-pp4c-2692-7f37","PYSEC-2017-62"],"modified":"2026-04-11T17:11:56.100580Z","published":"2017-03-07T16:59:01.103Z","references":[{"type":"WEB","url":"http://www.securityfocus.com/archive/1/539572/100/0/threaded"},{"type":"WEB","url":"http://www.securityfocus.com/bid/92752"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2016/Oct/80"},{"type":"ADVISORY","url":"https://plone.org/security/hotfix/20160830/non-persistent-xss-in-plone"},{"type":"FIX","url":"http://www.openwall.com/lists/oss-security/2016/09/05/4"},{"type":"FIX","url":"http://www.openwall.com/lists/oss-security/2016/09/05/5"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/139110/Plone-CMS-4.3.11-5.0.6-XSS-Traversal-Open-Redirection.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/plone/plone","events":[{"introduced":"0"},{"last_affected":"1ccb8d78a4ddb938981cbe5a855715f2454dcec8"},{"last_affected":"b555ce9afef4273221c960fdfc6afa508fa590ad"},{"last_affected":"1a262281a56953b800bb7cd4d8c574ff46c2d668"},{"last_affected":"829b1603d106a6674015e8a65a68dc89cda74bf3"},{"last_affected":"14f7de1effc24a26a0116caaea0296641f14be94"},{"last_affected":"6c3530a6e8a4cf306e3579f204fd046f145679d7"},{"last_affected":"23d7e1c8a0e0c0bac10e82ce5fcb18a31ad9b069"},{"last_affected":"548ce8d5e49774fd3531fc5ed58880c7a741a761"},{"last_affected":"40fd2b18bd0d733be3d4006ba5e998b11e510d8c"},{"last_affected":"3fd1fb166220743e8409af3aa92be8300c5ec940"},{"last_affected":"87d616d0808098b357922960dbec185c219acb13"},{"last_affected":"204d1e525537a254b16e4151c7229c5bead6df28"},{"last_affected":"406bbc24630619ad20c86b61f7198da49520a825"},{"last_affected":"1e60ca9217f5038fc7a9ea3b81afcaa1c08f359b"},{"last_affected":"3bc6cb6b05666aabe770268e34e56bc32ea4a591"},{"last_affected":"d89e290ebd951a584b7a55bcb4439b0898620288"},{"last_affected":"9378e691c0d32d5a6b16550d7a4bbad5792714be"},{"last_affected":"679129d1d6825506f9e13563b8abf4be3723ed33"},{"last_affected":"c6ca3fa925108f7bc2a638c5f7335b6767a743a1"},{"last_affected":"1503c5fa2df3dee711da4ccc6e2cc8a0a65ad6cf"},{"last_affected":"ad49b9b055b2a9a0ee40f82f23d85b786335756c"},{"last_affected":"9ef97fe1f46b8383ac3c48a9110e4cfccd7f807f"},{"last_affected":"0efd4ab3fdabd8eb64f22328563daae2e1819e4f"},{"last_affected":"e759411203bd0746cd7a1ed396c16b4843342e8c"},{"last_affected":"2183c78b82e1d84deb661043b27356995251de41"},{"last_affected":"7d94a438dde3784322813a399d46c54cd5b864e5"},{"last_affected":"f3dd0b7fac24438482e4368280a534f868b75f97"},{"last_affected":"d8f0c3f23d11b3ecf37740b454c8698521eb9ef9"},{"last_affected":"4708ff915d63bf21a9434d328fcd0b656bc66d94"},{"last_affected":"bfad4ef994a9b471fbfb314256df6840f286a032"},{"last_affected":"2a627f292e8b06c376b5c7093189b78f778c96b6"},{"last_affected":"ccc8eff38984b0a25a5827aabfdb8ab5e798ce30"},{"last_affected":"3e0c78057de5798ed989d0b2ed9dd12ec39978e1"},{"last_affected":"8a6687397896c935b7f2c59b58500fdf234854bb"},{"last_affected":"b0a5c6ce2148edc9c2055961f64af788d1054fc4"},{"last_affected":"00a67de4ddd27cdec07ed6f4c834131b492e3f91"},{"last_affected":"16257e3b0027d6f811aceff565aca0879d85be7d"},{"last_affected":"cdf44d1d0bea8b8d48f896ad7821d37715142ccf"},{"last_affected":"ab50347a0aeb2c3d68b6f7faae6a82d0a0e91516"},{"last_affected":"c7ca35de26093e40ae01ad0778b960cfde71fb3d"},{"last_affected":"83b346aef1cd7a5ea851fe5c02af4b94648767c6"},{"last_affected":"829aa2dd9d8f088ebf8f3da49b9e32ba90326135"},{"last_affected":"217e9c10670623e7a06a7bdeca2f80dae73c77d0"},{"last_affected":"6ffff6a69083367d6d6720444aa067be4899780b"},{"last_affected":"c4244a4887e0901a1c17b3ee60e1cfbe19ee46c5"},{"last_affected":"006f2dc3068b6d935e30bbea8e4ba41f6acacf33"},{"last_affected":"5f05c642ef0796b15e447793755b1bbd8ce40905"},{"last_affected":"c3d7603485d808537e024883ce401ad504924a5a"},{"last_affected":"eb76237a4e6587a8249acfe0649c153d9d1df910"},{"last_affected":"5d3edca6781cf97ae971db366f847e01887995e2"},{"last_affected":"6371a276e3775cb11070862a0045b34aa1973b12"},{"last_affected":"d4d2a336b6ec125c60610a22a003502858ac51a5"},{"last_affected":"5fe576e77155d3a1946699472dc064c66e8facb5"},{"last_affected":"42964e94bc07a40a76496e9746fa10b57c21a2d7"},{"last_affected":"4d260f76643a633d312b81d568ca5bed57e330e0"}],"database_specific":{"cpe":["cpe:2.3:a:plone:plone:3.3:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:3.3.1:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:3.3.2:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:3.3.3:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:3.3.4:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:3.3.5:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:3.3.6:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.0:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.0.1:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.0.2:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.0.3:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.0.4:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.0.5:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.0.7:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.0.8:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.0.9:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.0.10:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.1:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.1.1:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.1.2:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.1.3:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.1.4:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.1.5:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.1.6:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.2:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.2.1:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.2.2:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.2.3:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.2.4:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.2.5:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.2.6:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.2.7:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.3:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.3.1:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.3.2:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.3.3:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.3.4:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.3.5:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.3.6:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.3.7:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.3.8:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.3.9:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.3.10:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:4.3.11:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.0:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.0:a1:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.0:rc1:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.0:rc2:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.0:rc3:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.0.1:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.0.2:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.0.3:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.0.4:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.0.5:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.0.6:*:*:*:*:*:*:*","cpe:2.3:a:plone:plone:5.1a1:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"0"},{"last_affected":"3.3"},{"last_affected":"3.3.1"},{"last_affected":"3.3.2"},{"last_affected":"3.3.3"},{"last_affected":"3.3.4"},{"last_affected":"3.3.5"},{"last_affected":"3.3.6"},{"last_affected":"4.0"},{"last_affected":"4.0.1"},{"last_affected":"4.0.2"},{"last_affected":"4.0.3"},{"last_affected":"4.0.4"},{"last_affected":"4.0.5"},{"last_affected":"4.0.7"},{"last_affected":"4.0.8"},{"last_affected":"4.0.9"},{"last_affected":"4.0.10"},{"last_affected":"4.1"},{"last_affected":"4.1.1"},{"last_affected":"4.1.2"},{"last_affected":"4.1.3"},{"last_affected":"4.1.4"},{"last_affected":"4.1.5"},{"last_affected":"4.1.6"},{"last_affected":"4.2"},{"last_affected":"4.2.1"},{"last_affected":"4.2.2"},{"last_affected":"4.2.3"},{"last_affected":"4.2.4"},{"last_affected":"4.2.5"},{"last_affected":"4.2.6"},{"last_affected":"4.2.7"},{"last_affected":"4.3"},{"last_affected":"4.3.1"},{"last_affected":"4.3.2"},{"last_affected":"4.3.3"},{"last_affected":"4.3.4"},{"last_affected":"4.3.5"},{"last_affected":"4.3.6"},{"last_affected":"4.3.7"},{"last_affected":"4.3.8"},{"last_affected":"4.3.9"},{"last_affected":"4.3.10"},{"last_affected":"4.3.11"},{"last_affected":"5.0"},{"last_affected":"5.0-a1"},{"last_affected":"5.0-rc1"},{"last_affected":"5.0-rc2"},{"last_affected":"5.0-rc3"},{"last_affected":"5.0.1"},{"last_affected":"5.0.2"},{"last_affected":"5.0.3"},{"last_affected":"5.0.4"},{"last_affected":"5.0.5"},{"last_affected":"5.0.6"},{"last_affected":"5.1a1"}],"source":"CPE_FIELD"}}],"versions":["3.3","3.3.2","3.3.3","3.3.4","3.3.5","3.3.6","3.3b1","3.3rc5","4.0","4.0.1","4.0.10","4.0.2","4.0.3","4.0.4","4.0.5","4.0.6","4.0.7","4.0.8","4.0.9","4.0a1","4.0a2","4.0a3","4.0a4","4.0a5","4.0b1","4.0b2","4.0b3","4.0b4","4.0b5","4.0rc1","4.1.0","4.1.1","4.1.2","4.1.3","4.1.4","4.1.5","4.1.6","4.1a1","4.1a2","4.1a3","4.1b1","4.1b2","4.1rc1","4.1rc2","4.1rc3","4.2","4.2.0","4.2.1","4.2.2","4.2.3","4.2.4","4.2.5","4.2.6","4.2.7","4.2a1","4.2a2","4.2b1","4.2b2","4.2rc1","4.2rc2","4.3","4.3.1","4.3.10","4.3.11","4.3.2","4.3.3","4.3.4","4.3.5","4.3.6","4.3.7","4.3.8","4.3.9","4.3a1","4.3a2","4.3b1","4.3b2","5.0","5.0.1","5.0.2","5.0.4","5.0.5","5.0.6","5.0a2","5.0a3","5.0b1","5.0b2","5.0b3","5.0b4","5.0rc1","5.0rc2","5.0rc3","5.1a1","5.1a2","5.1b1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-7139.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}