Plone’s URL checking infrastructure includes a method for checking if URLs valid and located in the Plone site. By passing HTML into a specially crafted url containing <script
, %3Cscript
, javascript:
, or javascript%3A
, Cross-site Scripting can be achieved.
www.openwall.com/lists/oss-security/2015/09/22/14
bugzilla.redhat.com/show_bug.cgi?id=1264788
github.com/plone/Products.CMFPlone/commit/3da710a2cd68587f0bf34f2e7ea1167d6eeee087
nvd.nist.gov/vuln/detail/CVE-2015-7316
plone.org/security/hotfix/20150910/non-persistent-xss-in-plone
pypi.org/project/Products.PloneHotfix20150910