PYSEC-2026-112

Products.isurlinportal is a replacement for isURLInPortal method in Plone. Prior to versions 2.1.0, 3.1.0, and 4.0.0, a url /login?camefrom=////evil.example may redirect to an external website after login. This issue has been patched in versions 2.1.0, 3.1.0, and 4.0.0...

PYSEC-2026-112

Products.isurlinportal is a replacement for isURLInPortal method in Plone. Prior to versions 2.1.0, 3.1.0, and 4.0.0, a url /login?camefrom=////evil.example may redirect to an external website after login. This issue has been patched in versions 2.1.0, 3.1.0, and 4.0.0...

CVE-2026-28413

Products.isurlinportal is a replacement for isURLInPortal method in Plone. Prior to versions 2.1.0, 3.1.0, and 4.0.0, a url /login?camefrom=////evil.example may redirect to an external website after login. This issue has been patched in versions 2.1.0, 3.1.0, and 4.0.0...

CVE-2026-28413 Products.isurlinportal: Possible open redirect when using more than 2 forward slashes

Products.isurlinportal is a replacement for isURLInPortal method in Plone. Prior to versions 2.1.0, 3.1.0, and 4.0.0, a url /login?camefrom=////evil.example may redirect to an external website after login. This issue has been patched in versions 2.1.0, 3.1.0, and 4.0.0...

CVE-2026-28413

The CVE affects Plone via the Products.isurlinportal replacement. Before versions 2.1.0, 3.1.0, and 4.0.0, a login redirect can be manipulated when the came_from parameter contains more than two forward slashes (e.g., /login?came_from=////evil.example), leading to an open redirect. The issue has ...

CVE-2026-28413 Products.isurlinportal: Possible open redirect when using more than 2 forward slashes

Products.isurlinportal is a replacement for isURLInPortal method in Plone. Prior to versions 2.1.0, 3.1.0, and 4.0.0, a url /login?camefrom=////evil.example may redirect to an external website after login. This issue has been patched in versions 2.1.0, 3.1.0, and 4.0.0...

isURLInPortal 输入验证错误漏洞

isURLInPortal is a Plone open-source URL security check patch for Plone. Versions prior to 2.1.0, 3.1.0, and 4.0.0 of isURLInPortal had a input validation vulnerability that could lead to redirection to external websites after login...

GHSA-43GX-6GV6-3JCP Products.isurlinportal has possible open redirect when using more than 2 forward slashes

Impact A url /login?camefrom=////evil.example may redirect to an external website after login. Standard Plone is not affected, but if you have customised the login, for example with add-ons, you might be affected. You can try the url to check if you are affected or not. Patches The problem has be...

PT-2026-22990

Name of the Vulnerable Software and Affected Versions Products.isurlinportal versions prior to 2.1.0 Products.isurlinportal versions prior to 3.1.0 Products.isurlinportal versions prior to 4.0.0 Description A specially crafted URL, such as /login?came from=////evil.example, could redirect a user ...

Plone vulnerable to open redirect

Overview Plone provided by Plone Foundation contains an open redirect vulnerability CWE-601. Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact When accessin...

PYSEC-2021-323

Products.isurlinportal is a replacement for isURLInPortal method in Plone. Versions of Products.isurlinportal prior to 1.2.0 have an Open Redirect vulnerability. Various parts of Plone use the 'is url in portal' check for security, mostly to see if it is safe to redirect to a url. A url like...

CVE-2017-1000481

When you visit a page where you need to login, Plone 2.5-5.1rc1 sends you to the login form with a 'camefrom' parameter set to the previous url. After you login, you get redirected to the page you tried to view before. An attacker might try to abuse this by letting you click on a specially crafte...

PYSEC-2014-64

The isURLInPortal method in the URLTool class in inportal.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 treats URLs starting with a space as a relative URL, which allows remote attackers to bypass the allowexternalloginsites filtering property, redirect users to...

PT-2014-2763 · Plone Foundation · Plone

Name of the Vulnerable Software and Affected Versions: Plone versions 2.1 through 4.1 Plone versions 4.2.x through 4.2.5 Plone versions 4.3.x through 4.3.1 Description: The issue allows remote attackers to bypass filtering and redirect users to arbitrary web sites, potentially conducting phishing...