CVE-2016-7147 - Vulnerability Details

Vendors	Products
Plone	Plone

Link	Providers
http://www.securityfocus.com/bid/96117
https://plone.org/security/hotfix/20170117
https://plone.org/security/hotfix/20170117/non-persistent-xss-in-zope2
https://www.curesec.com/blog/article/blog/Plone-XSS-186.html

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-02-04T00:00:00", "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the manage_findResult component in the search feature in Zope ZMI in Plone before 4.3.12 and 5.x before 5.0.7 allows remote attackers to inject arbitrary web script or HTML via vectors involving double quotes, as demonstrated by the obj_ids:tokens parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-7140."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-02-09T10:57:02", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.curesec.com/blog/article/blog/Plone-XSS-186.html"}, {"tags": ["x_refsource_MISC"], "url": "https://plone.org/security/hotfix/20170117"}, {"tags": ["x_refsource_MISC"], "url": "https://plone.org/security/hotfix/20170117/non-persistent-xss-in-zope2"}, {"name": "96117", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/96117"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-7147", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cross-site scripting (XSS) vulnerability in the manage_findResult component in the search feature in Zope ZMI in Plone before 4.3.12 and 5.x before 5.0.7 allows remote attackers to inject arbitrary web script or HTML via vectors involving double quotes, as demonstrated by the obj_ids:tokens parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-7140."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.curesec.com/blog/article/blog/Plone-XSS-186.html", "refsource": "MISC", "url": "https://www.curesec.com/blog/article/blog/Plone-XSS-186.html"}, {"name": "https://plone.org/security/hotfix/20170117", "refsource": "MISC", "url": "https://plone.org/security/hotfix/20170117"}, {"name": "https://plone.org/security/hotfix/20170117/non-persistent-xss-in-zope2", "refsource": "MISC", "url": "https://plone.org/security/hotfix/20170117/non-persistent-xss-in-zope2"}, {"name": "96117", "refsource": "BID", "url": "http://www.securityfocus.com/bid/96117"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T01:50:47.535Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.curesec.com/blog/article/blog/Plone-XSS-186.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://plone.org/security/hotfix/20170117"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://plone.org/security/hotfix/20170117/non-persistent-xss-in-zope2"}, {"name": "96117", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/96117"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-7147", "datePublished": "2017-02-04T05:20:00", "dateReserved": "2016-09-05T00:00:00", "dateUpdated": "2024-08-06T01:50:47.535Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : n/a (string)

vendor : n/a (string)

versions : [ »

0 : { »

status : affected (string)

version : n/a (string)

}

]

}

]

datePublic : 2017-02-04T00:00:00 (string)

descriptions : [ »

0 : { »

lang : en (string)

value : Cross-site scripting (XSS) vulnerability in the manage_findResult component in the search feature in Zope ZMI in Plone before 4.3.12 and 5.x before 5.0.7 allows remote attackers to inject arbitrary web script or HTML via vectors involving double quotes, as demonstrated by the obj_ids:tokens parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-7140. (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

description : n/a (string)

lang : en (string)

type : text (string)

}

]

}

]

providerMetadata : { »

dateUpdated : 2017-02-09T10:57:02 (string)

orgId : 8254265b-2729-46b6-b9e3-3dfca2d5bfca (string)

shortName : mitre (string)

}

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://www.curesec.com/blog/article/blog/Plone-XSS-186.html (string)

}

1 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://plone.org/security/hotfix/20170117 (string)

}

2 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://plone.org/security/hotfix/20170117/non-persistent-xss-in-zope2 (string)

}

3 : { »

name : 96117 (string)

tags : [ »

0 : vdb-entry (string)

1 : x_refsource_BID (string)

]

url : http://www.securityfocus.com/bid/96117 (string)

}

]

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : cve@mitre.org (string)

ID : CVE-2016-7147 (string)

STATE : PUBLIC (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : n/a (string)

version : { »

version_data : [ »

0 : { »

version_value : n/a (string)

}

]

}

]

}

vendor_name : n/a (string)

}

]

}

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : Cross-site scripting (XSS) vulnerability in the manage_findResult component in the search feature in Zope ZMI in Plone before 4.3.12 and 5.x before 5.0.7 allows remote attackers to inject arbitrary web script or HTML via vectors involving double quotes, as demonstrated by the obj_ids:tokens parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-7140. (string)

}

]

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : n/a (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : https://www.curesec.com/blog/article/blog/Plone-XSS-186.html (string)

refsource : MISC (string)

url : https://www.curesec.com/blog/article/blog/Plone-XSS-186.html (string)

}

1 : { »

name : https://plone.org/security/hotfix/20170117 (string)

refsource : MISC (string)

url : https://plone.org/security/hotfix/20170117 (string)

}

2 : { »

name : https://plone.org/security/hotfix/20170117/non-persistent-xss-in-zope2 (string)

refsource : MISC (string)

url : https://plone.org/security/hotfix/20170117/non-persistent-xss-in-zope2 (string)

}

3 : { »

name : 96117 (string)

refsource : BID (string)

url : http://www.securityfocus.com/bid/96117 (string)

}

]

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-06T01:50:47.535Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://www.curesec.com/blog/article/blog/Plone-XSS-186.html (string)

}

1 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://plone.org/security/hotfix/20170117 (string)

}

2 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://plone.org/security/hotfix/20170117/non-persistent-xss-in-zope2 (string)

}

3 : { »

name : 96117 (string)

tags : [ »

0 : vdb-entry (string)

1 : x_refsource_BID (string)

2 : x_transferred (string)

]

url : http://www.securityfocus.com/bid/96117 (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : 8254265b-2729-46b6-b9e3-3dfca2d5bfca (string)

assignerShortName : mitre (string)

cveId : CVE-2016-7147 (string)

datePublished : 2017-02-04T05:20:00 (string)

dateReserved : 2016-09-05T00:00:00 (string)

dateUpdated : 2024-08-06T01:50:47.535Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:plone:plone:2.5.5:*:*:*:*:*:*:*", "matchCriteriaId": "8B635DAD-AC53-4484-8750-200B662DAFD1", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:3.3:*:*:*:*:*:*:*", "matchCriteriaId": "FDC93803-6506-4382-A013-18010EE7E06B", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:3.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "E65977FD-A880-4D16-B56B-94A72774F42D", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:3.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "4EA5B4F8-2155-403D-97D8-1272285D508B", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:3.3.3:*:*:*:*:*:*:*", "matchCriteriaId": "A3CA2943-77E5-4384-A019-415BBCE62F94", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:3.3.4:*:*:*:*:*:*:*", "matchCriteriaId": "B7FF63F6-F1DC-4A97-A2E6-11CF613A31E8", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:3.3.5:*:*:*:*:*:*:*", "matchCriteriaId": "538A3519-5B04-4FE5-A3C0-FD26EFA32705", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:3.3.6:*:*:*:*:*:*:*", "matchCriteriaId": "858CBC5A-C241-475C-8125-C5EA351B12A7", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "F3306D84-0F5B-46BA-9BCC-DCD0A1CDD604", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:4.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "E08F4534-A588-463F-A745-39E559AB1CB8", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:4.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "B64341BA-5722-415E-9771-9837168AB7C0", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:4.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "E2929227-AE19-428D-9AC3-D312A559039B", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:4.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "3B6DC866-0FEE-475B-855C-A69E004810CD", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:4.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "50BF3E8E-152C-4E89-BAA2-A952D10F4611", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:4.0.7:*:*:*:*:*:*:*", "matchCriteriaId": "F1F88BF6-9058-4CB8-A2D6-5653860CF489", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:4.0.8:*:*:*:*:*:*:*", "matchCriteriaId": "B2AA3FA2-15C3-444A-8810-5EF3E0E84D58", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:4.0.9:*:*:*:*:*:*:*", "matchCriteriaId": "72F3B15A-CD0F-4CC5-A76F-E62637B30E2E", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:4.0.10:*:*:*:*:*:*:*", "matchCriteriaId": "D913FCA7-4DAE-4E9A-9146-9AFA8472B04B", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:4.1:*:*:*:*:*:*:*", "matchCriteriaId": "7C44B53B-953B-4522-A5B4-11573850D2CD", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:4.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "D8883023-113A-420A-97B6-A4A9B29CF7DB", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:4.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "4DF4D113-8D9D-4DA3-A177-64783352F608", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:4.1.3:*:*:*:*:*:*:*", "matchCriteriaId": "28F9B699-D1A4-425C-84ED-6A8FD29BE7F8", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:4.1.4:*:*:*:*:*:*:*", "matchCriteriaId": "47321B60-67DA-4543-B173-D629A9569B45", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:4.1.5:*:*:*:*:*:*:*", "matchCriteriaId": "58B36EB2-723F-4E25-8018-EEB2BE806D9D", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:4.1.6:*:*:*:*:*:*:*", "matchCriteriaId": "7962EF74-6AC1-424C-A202-163AFDADA971", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:4.2:*:*:*:*:*:*:*", "matchCriteriaId": "1F1818BB-E23A-4136-898D-1D0C80C08728", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:4.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "5CB06627-133A-40D1-8816-E31E0A9BAD22", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:4.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "AE7E448A-2C0C-4DE0-89EA-904718CB6C6D", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:4.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "6E727C5C-9E54-49F7-B92C-2492069AAE08", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:4.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "BFD68465-4CDC-4788-8932-41335B5C4AC8", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:4.2.5:*:*:*:*:*:*:*", "matchCriteriaId": "A7B739E0-FB73-401C-AB1A-E3C1434AA2A3", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:4.2.6:*:*:*:*:*:*:*", "matchCriteriaId": "DCC8B987-5173-4C61-8DE6-B70C18EE6FD3", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:4.2.7:*:*:*:*:*:*:*", "matchCriteriaId": "38BA31E8-77EC-478B-BC6E-E2F145A8B9BD", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:4.3:*:*:*:*:*:*:*", "matchCriteriaId": "CE168A35-1A46-4A6F-8A08-25CDD886066D", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:4.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "CFE0FC06-369B-46CF-9B1E-BAF7AF87E950", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:4.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "56571585-E9A2-4B78-B2B1-5D8EADED522A", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:4.3.3:*:*:*:*:*:*:*", "matchCriteriaId": "2CDF8A15-401C-453E-8D09-8D4CDD4766DB", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:4.3.4:*:*:*:*:*:*:*", "matchCriteriaId": "39B0B1CE-C0D9-495C-B4E7-E52A50BD6D97", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:4.3.5:*:*:*:*:*:*:*", "matchCriteriaId": "043B3CBE-DEA2-474D-AA57-1830A470B621", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:4.3.6:*:*:*:*:*:*:*", "matchCriteriaId": "08A6842B-B479-4D91-928A-1CCE1DCB936E", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:4.3.7:*:*:*:*:*:*:*", "matchCriteriaId": "875A368A-F1D6-4795-99CF-A96DBCD1D407", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:4.3.8:*:*:*:*:*:*:*", "matchCriteriaId": "B5962C24-BC35-4E27-B81B-E2D21F83FB13", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:4.3.9:*:*:*:*:*:*:*", "matchCriteriaId": "55BCE259-700F-4E39-8565-99E4DFDA6F9E", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:4.3.10:*:*:*:*:*:*:*", "matchCriteriaId": "CD0755E5-2001-499F-90EA-6C2133D116D0", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:4.3.11:*:*:*:*:*:*:*", "matchCriteriaId": "5893527F-D365-4A39-9104-1B478804F0BD", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:5.0:*:*:*:*:*:*:*", "matchCriteriaId": "E8C6DFBF-5CC6-49A7-BC83-E8F686815F6A", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:5.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "8AF9FB6C-134F-4653-8771-1BF46AB39344", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:5.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "E22BA768-96DE-408F-8979-4CC58B50A09C", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:5.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "1672268D-2EFB-4D9E-99D4-AAEFEA659091", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:5.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "9EF74DD4-27BB-4881-B324-B53336EF0648", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:5.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "1C6962EC-8398-4564-9840-AECB3E3D697D", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:5.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "ADE89FE6-DBF6-4CDD-BBA3-B34AEEAE6BA5", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:5.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "83D341D6-AB11-444F-88FD-22303D1E3F65", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:5.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "DAF8A5BB-2F6A-474F-9DCE-0AF9E8E1D1D4", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:5.0.6:*:*:*:*:*:*:*", "matchCriteriaId": "58165598-70DB-48AD-BD6E-793B103DC15F", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:5.1:a1:*:*:*:*:*:*", "matchCriteriaId": "39E8A13F-B8F8-490D-AB5D-E8FF5EA0490B", "vulnerable": true}, {"criteria": "cpe:2.3:a:plone:plone:5.1:a2:*:*:*:*:*:*", "matchCriteriaId": "DD34F775-A365-4B65-8F60-F09EDD57B2EF", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the manage_findResult component in the search feature in Zope ZMI in Plone before 4.3.12 and 5.x before 5.0.7 allows remote attackers to inject arbitrary web script or HTML via vectors involving double quotes, as demonstrated by the obj_ids:tokens parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-7140."}, {"lang": "es", "value": "Vulnerabilidad de XSS en el componente manage_findResult en la funcionalidad de b\u00fasqueda de Zope ZMI en Plone en versiones anteriores a 4.3.12 y 5.x en versiones anteriores a 5.0.7 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de vectores que implican comillas dobles. Como se demuestra por el par\u00e1metro obj_ids: tokens. NOTA: esta vulnerabilidad existe debido a una correcci\u00f3n incompleta para CVE-2016-7140."}], "id": "CVE-2016-7147", "lastModified": "2024-11-21T02:57:35.323", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-02-04T05:59:00.130", "references": [{"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/96117"}, {"source": "cve@mitre.org", "tags": ["Patch", "Release Notes", "Vendor Advisory"], "url": "https://plone.org/security/hotfix/20170117"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://plone.org/security/hotfix/20170117/non-persistent-xss-in-zope2"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory", "VDB Entry"], "url": "https://www.curesec.com/blog/article/blog/Plone-XSS-186.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/96117"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Release Notes", "Vendor Advisory"], "url": "https://plone.org/security/hotfix/20170117"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://plone.org/security/hotfix/20170117/non-persistent-xss-in-zope2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory", "VDB Entry"], "url": "https://www.curesec.com/blog/article/blog/Plone-XSS-186.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:plone:plone:2.5.5:*:*:*:*:*:*:* (string)

matchCriteriaId : 8B635DAD-AC53-4484-8750-200B662DAFD1 (string)

vulnerable : true (boolean)

}

1 : { »

criteria : cpe:2.3:a:plone:plone:3.3:*:*:*:*:*:*:* (string)

matchCriteriaId : FDC93803-6506-4382-A013-18010EE7E06B (string)

vulnerable : true (boolean)

}

2 : { »

criteria : cpe:2.3:a:plone:plone:3.3.1:*:*:*:*:*:*:* (string)

matchCriteriaId : E65977FD-A880-4D16-B56B-94A72774F42D (string)

vulnerable : true (boolean)

}

3 : { »

criteria : cpe:2.3:a:plone:plone:3.3.2:*:*:*:*:*:*:* (string)

matchCriteriaId : 4EA5B4F8-2155-403D-97D8-1272285D508B (string)

vulnerable : true (boolean)

}

4 : { »

criteria : cpe:2.3:a:plone:plone:3.3.3:*:*:*:*:*:*:* (string)

matchCriteriaId : A3CA2943-77E5-4384-A019-415BBCE62F94 (string)

vulnerable : true (boolean)

}

5 : { »

criteria : cpe:2.3:a:plone:plone:3.3.4:*:*:*:*:*:*:* (string)

matchCriteriaId : B7FF63F6-F1DC-4A97-A2E6-11CF613A31E8 (string)

vulnerable : true (boolean)

}

6 : { »

criteria : cpe:2.3:a:plone:plone:3.3.5:*:*:*:*:*:*:* (string)

matchCriteriaId : 538A3519-5B04-4FE5-A3C0-FD26EFA32705 (string)

vulnerable : true (boolean)

}

7 : { »

criteria : cpe:2.3:a:plone:plone:3.3.6:*:*:*:*:*:*:* (string)

matchCriteriaId : 858CBC5A-C241-475C-8125-C5EA351B12A7 (string)

vulnerable : true (boolean)

}

8 : { »

criteria : cpe:2.3:a:plone:plone:4.0:*:*:*:*:*:*:* (string)

matchCriteriaId : F3306D84-0F5B-46BA-9BCC-DCD0A1CDD604 (string)

vulnerable : true (boolean)

}

9 : { »

criteria : cpe:2.3:a:plone:plone:4.0.1:*:*:*:*:*:*:* (string)

matchCriteriaId : E08F4534-A588-463F-A745-39E559AB1CB8 (string)

vulnerable : true (boolean)

}

10 : { »

criteria : cpe:2.3:a:plone:plone:4.0.2:*:*:*:*:*:*:* (string)

matchCriteriaId : B64341BA-5722-415E-9771-9837168AB7C0 (string)

vulnerable : true (boolean)

}

11 : { »

criteria : cpe:2.3:a:plone:plone:4.0.3:*:*:*:*:*:*:* (string)

matchCriteriaId : E2929227-AE19-428D-9AC3-D312A559039B (string)

vulnerable : true (boolean)

}

12 : { »

criteria : cpe:2.3:a:plone:plone:4.0.4:*:*:*:*:*:*:* (string)

matchCriteriaId : 3B6DC866-0FEE-475B-855C-A69E004810CD (string)

vulnerable : true (boolean)

}

13 : { »

criteria : cpe:2.3:a:plone:plone:4.0.5:*:*:*:*:*:*:* (string)

matchCriteriaId : 50BF3E8E-152C-4E89-BAA2-A952D10F4611 (string)

vulnerable : true (boolean)

}

14 : { »

criteria : cpe:2.3:a:plone:plone:4.0.7:*:*:*:*:*:*:* (string)

matchCriteriaId : F1F88BF6-9058-4CB8-A2D6-5653860CF489 (string)

vulnerable : true (boolean)

}

15 : { »

criteria : cpe:2.3:a:plone:plone:4.0.8:*:*:*:*:*:*:* (string)

matchCriteriaId : B2AA3FA2-15C3-444A-8810-5EF3E0E84D58 (string)

vulnerable : true (boolean)

}

16 : { »

criteria : cpe:2.3:a:plone:plone:4.0.9:*:*:*:*:*:*:* (string)

matchCriteriaId : 72F3B15A-CD0F-4CC5-A76F-E62637B30E2E (string)

vulnerable : true (boolean)

}

17 : { »

criteria : cpe:2.3:a:plone:plone:4.0.10:*:*:*:*:*:*:* (string)

matchCriteriaId : D913FCA7-4DAE-4E9A-9146-9AFA8472B04B (string)

vulnerable : true (boolean)

}

18 : { »

criteria : cpe:2.3:a:plone:plone:4.1:*:*:*:*:*:*:* (string)

matchCriteriaId : 7C44B53B-953B-4522-A5B4-11573850D2CD (string)

vulnerable : true (boolean)

}

19 : { »

criteria : cpe:2.3:a:plone:plone:4.1.1:*:*:*:*:*:*:* (string)

matchCriteriaId : D8883023-113A-420A-97B6-A4A9B29CF7DB (string)

vulnerable : true (boolean)

}

20 : { »

criteria : cpe:2.3:a:plone:plone:4.1.2:*:*:*:*:*:*:* (string)

matchCriteriaId : 4DF4D113-8D9D-4DA3-A177-64783352F608 (string)

vulnerable : true (boolean)

}

21 : { »

criteria : cpe:2.3:a:plone:plone:4.1.3:*:*:*:*:*:*:* (string)

matchCriteriaId : 28F9B699-D1A4-425C-84ED-6A8FD29BE7F8 (string)

vulnerable : true (boolean)

}

22 : { »

criteria : cpe:2.3:a:plone:plone:4.1.4:*:*:*:*:*:*:* (string)

matchCriteriaId : 47321B60-67DA-4543-B173-D629A9569B45 (string)

vulnerable : true (boolean)

}

23 : { »

criteria : cpe:2.3:a:plone:plone:4.1.5:*:*:*:*:*:*:* (string)

matchCriteriaId : 58B36EB2-723F-4E25-8018-EEB2BE806D9D (string)

vulnerable : true (boolean)

}

24 : { »

criteria : cpe:2.3:a:plone:plone:4.1.6:*:*:*:*:*:*:* (string)

matchCriteriaId : 7962EF74-6AC1-424C-A202-163AFDADA971 (string)

vulnerable : true (boolean)

}

25 : { »

criteria : cpe:2.3:a:plone:plone:4.2:*:*:*:*:*:*:* (string)

matchCriteriaId : 1F1818BB-E23A-4136-898D-1D0C80C08728 (string)

vulnerable : true (boolean)

}

26 : { »

criteria : cpe:2.3:a:plone:plone:4.2.1:*:*:*:*:*:*:* (string)

matchCriteriaId : 5CB06627-133A-40D1-8816-E31E0A9BAD22 (string)

vulnerable : true (boolean)

}

27 : { »

criteria : cpe:2.3:a:plone:plone:4.2.2:*:*:*:*:*:*:* (string)

matchCriteriaId : AE7E448A-2C0C-4DE0-89EA-904718CB6C6D (string)

vulnerable : true (boolean)

}

28 : { »

criteria : cpe:2.3:a:plone:plone:4.2.3:*:*:*:*:*:*:* (string)

matchCriteriaId : 6E727C5C-9E54-49F7-B92C-2492069AAE08 (string)

vulnerable : true (boolean)

}

29 : { »

criteria : cpe:2.3:a:plone:plone:4.2.4:*:*:*:*:*:*:* (string)

matchCriteriaId : BFD68465-4CDC-4788-8932-41335B5C4AC8 (string)

vulnerable : true (boolean)

}

30 : { »

criteria : cpe:2.3:a:plone:plone:4.2.5:*:*:*:*:*:*:* (string)

matchCriteriaId : A7B739E0-FB73-401C-AB1A-E3C1434AA2A3 (string)

vulnerable : true (boolean)

}

31 : { »

criteria : cpe:2.3:a:plone:plone:4.2.6:*:*:*:*:*:*:* (string)

matchCriteriaId : DCC8B987-5173-4C61-8DE6-B70C18EE6FD3 (string)

vulnerable : true (boolean)

}

32 : { »

criteria : cpe:2.3:a:plone:plone:4.2.7:*:*:*:*:*:*:* (string)

matchCriteriaId : 38BA31E8-77EC-478B-BC6E-E2F145A8B9BD (string)

vulnerable : true (boolean)

}

33 : { »

criteria : cpe:2.3:a:plone:plone:4.3:*:*:*:*:*:*:* (string)

matchCriteriaId : CE168A35-1A46-4A6F-8A08-25CDD886066D (string)

vulnerable : true (boolean)

}

34 : { »

criteria : cpe:2.3:a:plone:plone:4.3.1:*:*:*:*:*:*:* (string)

matchCriteriaId : CFE0FC06-369B-46CF-9B1E-BAF7AF87E950 (string)

vulnerable : true (boolean)

}

35 : { »

criteria : cpe:2.3:a:plone:plone:4.3.2:*:*:*:*:*:*:* (string)

matchCriteriaId : 56571585-E9A2-4B78-B2B1-5D8EADED522A (string)

vulnerable : true (boolean)

}

36 : { »

criteria : cpe:2.3:a:plone:plone:4.3.3:*:*:*:*:*:*:* (string)

matchCriteriaId : 2CDF8A15-401C-453E-8D09-8D4CDD4766DB (string)

vulnerable : true (boolean)

}

37 : { »

criteria : cpe:2.3:a:plone:plone:4.3.4:*:*:*:*:*:*:* (string)

matchCriteriaId : 39B0B1CE-C0D9-495C-B4E7-E52A50BD6D97 (string)

vulnerable : true (boolean)

}

38 : { »

criteria : cpe:2.3:a:plone:plone:4.3.5:*:*:*:*:*:*:* (string)

matchCriteriaId : 043B3CBE-DEA2-474D-AA57-1830A470B621 (string)

vulnerable : true (boolean)

}

39 : { »

criteria : cpe:2.3:a:plone:plone:4.3.6:*:*:*:*:*:*:* (string)

matchCriteriaId : 08A6842B-B479-4D91-928A-1CCE1DCB936E (string)

vulnerable : true (boolean)

}

40 : { »

criteria : cpe:2.3:a:plone:plone:4.3.7:*:*:*:*:*:*:* (string)

matchCriteriaId : 875A368A-F1D6-4795-99CF-A96DBCD1D407 (string)

vulnerable : true (boolean)

}

41 : { »

criteria : cpe:2.3:a:plone:plone:4.3.8:*:*:*:*:*:*:* (string)

matchCriteriaId : B5962C24-BC35-4E27-B81B-E2D21F83FB13 (string)

vulnerable : true (boolean)

}

42 : { »

criteria : cpe:2.3:a:plone:plone:4.3.9:*:*:*:*:*:*:* (string)

matchCriteriaId : 55BCE259-700F-4E39-8565-99E4DFDA6F9E (string)

vulnerable : true (boolean)

}

43 : { »

criteria : cpe:2.3:a:plone:plone:4.3.10:*:*:*:*:*:*:* (string)

matchCriteriaId : CD0755E5-2001-499F-90EA-6C2133D116D0 (string)

vulnerable : true (boolean)

}

44 : { »

criteria : cpe:2.3:a:plone:plone:4.3.11:*:*:*:*:*:*:* (string)

matchCriteriaId : 5893527F-D365-4A39-9104-1B478804F0BD (string)

vulnerable : true (boolean)

}

45 : { »

criteria : cpe:2.3:a:plone:plone:5.0:*:*:*:*:*:*:* (string)

matchCriteriaId : E8C6DFBF-5CC6-49A7-BC83-E8F686815F6A (string)

vulnerable : true (boolean)

}

46 : { »

criteria : cpe:2.3:a:plone:plone:5.0:rc1:*:*:*:*:*:* (string)

matchCriteriaId : 8AF9FB6C-134F-4653-8771-1BF46AB39344 (string)

vulnerable : true (boolean)

}

47 : { »

criteria : cpe:2.3:a:plone:plone:5.0:rc2:*:*:*:*:*:* (string)

matchCriteriaId : E22BA768-96DE-408F-8979-4CC58B50A09C (string)

vulnerable : true (boolean)

}

48 : { »

criteria : cpe:2.3:a:plone:plone:5.0:rc3:*:*:*:*:*:* (string)

matchCriteriaId : 1672268D-2EFB-4D9E-99D4-AAEFEA659091 (string)

vulnerable : true (boolean)

}

49 : { »

criteria : cpe:2.3:a:plone:plone:5.0.1:*:*:*:*:*:*:* (string)

matchCriteriaId : 9EF74DD4-27BB-4881-B324-B53336EF0648 (string)

vulnerable : true (boolean)

}

50 : { »

criteria : cpe:2.3:a:plone:plone:5.0.2:*:*:*:*:*:*:* (string)

matchCriteriaId : 1C6962EC-8398-4564-9840-AECB3E3D697D (string)

vulnerable : true (boolean)

}

51 : { »

criteria : cpe:2.3:a:plone:plone:5.0.3:*:*:*:*:*:*:* (string)

matchCriteriaId : ADE89FE6-DBF6-4CDD-BBA3-B34AEEAE6BA5 (string)

vulnerable : true (boolean)

}

52 : { »

criteria : cpe:2.3:a:plone:plone:5.0.4:*:*:*:*:*:*:* (string)

matchCriteriaId : 83D341D6-AB11-444F-88FD-22303D1E3F65 (string)

vulnerable : true (boolean)

}

53 : { »

criteria : cpe:2.3:a:plone:plone:5.0.5:*:*:*:*:*:*:* (string)

matchCriteriaId : DAF8A5BB-2F6A-474F-9DCE-0AF9E8E1D1D4 (string)

vulnerable : true (boolean)

}

54 : { »

criteria : cpe:2.3:a:plone:plone:5.0.6:*:*:*:*:*:*:* (string)

matchCriteriaId : 58165598-70DB-48AD-BD6E-793B103DC15F (string)

vulnerable : true (boolean)

}

55 : { »

criteria : cpe:2.3:a:plone:plone:5.1:a1:*:*:*:*:*:* (string)

matchCriteriaId : 39E8A13F-B8F8-490D-AB5D-E8FF5EA0490B (string)

vulnerable : true (boolean)

}

56 : { »

criteria : cpe:2.3:a:plone:plone:5.1:a2:*:*:*:*:*:* (string)

matchCriteriaId : DD34F775-A365-4B65-8F60-F09EDD57B2EF (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : Cross-site scripting (XSS) vulnerability in the manage_findResult component in the search feature in Zope ZMI in Plone before 4.3.12 and 5.x before 5.0.7 allows remote attackers to inject arbitrary web script or HTML via vectors involving double quotes, as demonstrated by the obj_ids:tokens parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-7140. (string)

}

1 : { »

lang : es (string)

value : Vulnerabilidad de XSS en el componente manage_findResult en la funcionalidad de búsqueda de Zope ZMI en Plone en versiones anteriores a 4.3.12 y 5.x en versiones anteriores a 5.0.7 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores que implican comillas dobles. Como se demuestra por el parámetro obj_ids: tokens. NOTA: esta vulnerabilidad existe debido a una corrección incompleta para CVE-2016-7140. (string)

}

]

id : CVE-2016-7147 (string)

lastModified : 2024-11-21T02:57:35.323 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : MEDIUM (string)

cvssData : { »

accessComplexity : MEDIUM (string)

accessVector : NETWORK (string)

authentication : NONE (string)

availabilityImpact : NONE (string)

baseScore : 4.3 (number)

confidentialityImpact : NONE (string)

integrityImpact : PARTIAL (string)

vectorString : AV:N/AC:M/Au:N/C:N/I:P/A:N (string)

version : 2.0 (string)

}

exploitabilityScore : 8.6 (number)

impactScore : 2.9 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : true (boolean)

}

]

cvssMetricV30 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 6.1 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : LOW (string)

integrityImpact : LOW (string)

privilegesRequired : NONE (string)

scope : CHANGED (string)

userInteraction : REQUIRED (string)

vectorString : CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (string)

version : 3.0 (string)

}

exploitabilityScore : 2.8 (number)

impactScore : 2.7 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2017-02-04T05:59:00.130 (string)

references : [ »

0 : { »

source : cve@mitre.org (string)

url : http://www.securityfocus.com/bid/96117 (string)

}

1 : { »

source : cve@mitre.org (string)

tags : [ »

0 : Patch (string)

1 : Release Notes (string)

2 : Vendor Advisory (string)

]

url : https://plone.org/security/hotfix/20170117 (string)

}

2 : { »

source : cve@mitre.org (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://plone.org/security/hotfix/20170117/non-persistent-xss-in-zope2 (string)

}

3 : { »

source : cve@mitre.org (string)

tags : [ »

0 : Patch (string)

1 : Third Party Advisory (string)

2 : VDB Entry (string)

]

url : https://www.curesec.com/blog/article/blog/Plone-XSS-186.html (string)

}

4 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : http://www.securityfocus.com/bid/96117 (string)

}

5 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Patch (string)

1 : Release Notes (string)

2 : Vendor Advisory (string)

]

url : https://plone.org/security/hotfix/20170117 (string)

}

6 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://plone.org/security/hotfix/20170117/non-persistent-xss-in-zope2 (string)

}

7 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Patch (string)

1 : Third Party Advisory (string)

2 : VDB Entry (string)

]

url : https://www.curesec.com/blog/article/blog/Plone-XSS-186.html (string)

}

]

sourceIdentifier : cve@mitre.org (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-79 (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object