CVE-2026-28413 Products.isurlinportal: Possible open redirect when using more than 2 forward slashes

Products.isurlinportal is a replacement for isURLInPortal method in Plone. Prior to versions 2.1.0, 3.1.0, and 4.0.0, a url /login?camefrom=////evil.example may redirect to an external website after login. This issue has been patched in versions 2.1.0, 3.1.0, and 4.0.0...

Open Redirect

Overview Products.isurlinportal is a replacement for isURLInPortal method in Plone. Affected versions of this package are vulnerable to Open Redirect via the login form. An attacker can cause users to be redirected to an external website by crafting a URL with more than two forward slashes in the...

EUVD-2014-6141

Malware in sbrugna...

EUVD-2018-0113

Malware in sbrugna...

PYSEC-2018-70

When you visit a page where you need to login, Plone 2.5-5.1rc1 sends you to the login form with a 'camefrom' parameter set to the previous url. After you login, you get redirected to the page you tried to view before. An attacker might try to abuse this by letting you click on a specially crafte...

Open redirect

Multiple open redirect vulnerabilities in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the referer parameter to 1...

PYSEC-2015-13

CRLF injection vulnerability in Kallithea before 0.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the camefrom parameter to admin/login...

Open redirect

Open redirect vulnerability in the login form in Zenoss Core before 4.2.5 SP161 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the camefrom parameter, aka ZEN-11998...