Ubuntu.comUB:CVE-2016-7147CVE-2016-7147
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.002 Low
EPSS
Percentile
64.9%
Cross-site scripting (XSS) vulnerability in the manage_findResult component
in the search feature in Zope ZMI in Plone before 4.3.12 and 5.x before
5.0.7 allows remote attackers to inject arbitrary web script or HTML via
vectors involving double quotes, as demonstrated by the obj_ids:tokens
parameter. NOTE: this vulnerability exists because of an incomplete fix for
CVE-2016-7140.
References
github.com/zopefoundation/Zope/pull/86/commits/e130ee11fe36255b90c85404520b503e29e16e09
launchpad.net/bugs/cve/CVE-2016-7147
nvd.nist.gov/vuln/detail/CVE-2016-7147
plone.org/security/hotfix/20170117
plone.org/security/hotfix/20170117/non-persistent-xss-in-zope2
security-tracker.debian.org/tracker/CVE-2016-7147
www.curesec.com/blog/article/blog/Plone-XSS-186.html
www.cve.org/CVERecord?id=CVE-2016-7147
Related
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.002 Low
EPSS
Percentile
64.9%