Description
Products.isurlinportal is a replacement for isURLInPortal method in Plone. Prior to versions 2.1.0, 3.1.0, and 4.0.0, a url /login?came_from=////evil.example may redirect to an external website after login. This issue has been patched in versions 2.1.0, 3.1.0, and 4.0.0.
Published: 2026-03-05
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Open Redirect
Action: Patch Now
AI Analysis

Impact

Products.isurlinportal includes a method that can redirect users to external sites when the 'came_from' parameter contains more than two forward slashes. An attacker can craft a URL such as /login?came_from=////evil.example, causing the site to send users to a malicious domain after authentication. This leads to an open‑redirect vulnerability, exposing users to phishing or other social‑engineering attacks.

Affected Systems

Plone’s Products.isurlinportal component, versions prior to 2.1.0, 3.1.0, and 4.0.0, are vulnerable to this issue.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity and the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, implying no known public exploits at this time. Attackers can target the site remotely by generating a malicious redirect link that includes multiple forward slashes in the 'came_from' parameter. Patching to the fixed versions removes the flaw and eliminates the risk of unwanted redirects for logged‑in users.

Generated by OpenCVE AI on April 18, 2026 at 09:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Products.isurlinportal to version 2.1.0, 3.1.0, or 4.0.0, whichever applies to your release.
  • Validate the 'came_from' parameter so that it does not contain more than two consecutive slashes, preventing the redirect logic from triggering.
  • Monitor authentication logs for suspicious redirect patterns to detect any attempts to exploit this vulnerability.

Generated by OpenCVE AI on April 18, 2026 at 09:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-43gx-6gv6-3jcp Products.isurlinportal has possible open redirect when using more than 2 forward slashes
History

Tue, 17 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:plone:isurlinportal:*:*:*:*:*:plone:*:*
cpe:2.3:a:plone:isurlinportal:4.0.0:alpha1:*:*:*:plone:*:*

Fri, 06 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Plone
Plone isurlinportal
Vendors & Products Plone
Plone isurlinportal

Thu, 05 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Products.isurlinportal is a replacement for isURLInPortal method in Plone. Prior to versions 2.1.0, 3.1.0, and 4.0.0, a url /login?came_from=////evil.example may redirect to an external website after login. This issue has been patched in versions 2.1.0, 3.1.0, and 4.0.0.
Title Products.isurlinportal: Possible open redirect when using more than 2 forward slashes
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Plone Isurlinportal
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T17:03:20.625Z

Reserved: 2026-02-27T15:33:57.289Z

Link: CVE-2026-28413

cve-icon Vulnrichment

Updated: 2026-03-06T17:03:17.005Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T21:16:22.023

Modified: 2026-03-17T18:32:49.883

Link: CVE-2026-28413

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:00:10Z

Weaknesses