CVE-2026-28413

Products.isurlinportal is a replacement for isURLInPortal method in Plone. Prior to versions 2.1.0, 3.1.0, and 4.0.0, a url /login?camefrom=////evil.example may redirect to an external website after login. This issue has been patched in versions 2.1.0, 3.1.0, and 4.0.0...

PYSEC-2026-112

Products.isurlinportal is a replacement for isURLInPortal method in Plone. Prior to versions 2.1.0, 3.1.0, and 4.0.0, a url /login?camefrom=////evil.example may redirect to an external website after login. This issue has been patched in versions 2.1.0, 3.1.0, and 4.0.0...

CVE-2026-28413

Products.isurlinportal is a replacement for isURLInPortal method in Plone. Prior to versions 2.1.0, 3.1.0, and 4.0.0, a url /login?camefrom=////evil.example may redirect to an external website after login. This issue has been patched in versions 2.1.0, 3.1.0, and 4.0.0...

CVE-2026-28413 Products.isurlinportal: Possible open redirect when using more than 2 forward slashes

Products.isurlinportal is a replacement for isURLInPortal method in Plone. Prior to versions 2.1.0, 3.1.0, and 4.0.0, a url /login?camefrom=////evil.example may redirect to an external website after login. This issue has been patched in versions 2.1.0, 3.1.0, and 4.0.0...

CVE-2026-28413

The CVE affects Plone via the Products.isurlinportal replacement. Before versions 2.1.0, 3.1.0, and 4.0.0, a login redirect can be manipulated when the came_from parameter contains more than two forward slashes (e.g., /login?came_from=////evil.example), leading to an open redirect. The issue has ...

Open Redirect

Overview Products.isurlinportal is a replacement for isURLInPortal method in Plone. Affected versions of this package are vulnerable to Open Redirect via the login form. An attacker can cause users to be redirected to an external website by crafting a URL with more than two forward slashes in the...

EUVD-2018-0113

Malware in sbrugna...

EUVD-2014-6141

Malware in sbrugna...

PYSEC-2018-70

When you visit a page where you need to login, Plone 2.5-5.1rc1 sends you to the login form with a 'camefrom' parameter set to the previous url. After you login, you get redirected to the page you tried to view before. An attacker might try to abuse this by letting you click on a specially crafte...

Open redirect

Multiple open redirect vulnerabilities in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the referer parameter to 1...

PYSEC-2015-13

CRLF injection vulnerability in Kallithea before 0.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the camefrom parameter to admin/login...

Kallithea 0.2.9 (came_from) HTTP Response Splitting Vulnerability

Summary Kallithea, a member project of Software Freedom Conservancy, is a GPLv3'd, Free Software source code management system that supports two leading version control systems, Mercurial and Git, and has a web interface that is easy to use for users and admins. Description Kallithea suffers from...

Open redirect

Open redirect vulnerability in the login form in Zenoss Core before 4.2.5 SP161 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the camefrom parameter, aka ZEN-11998...