GHSA-43gx-6gv6-3jcpMediumCVSS 5.3

Products.isurlinportal has possible open redirect when using more than 2 forward slashes

Published
March 2, 2026
Last Modified
June 8, 2026

🔗 CVE IDs covered (1)

📋 Description

Impact

A url /login?came_from=////evil.example may redirect to an external website after login.

Standard Plone is not affected, but if you have customised the login, for example with add-ons, you might be affected. You can try the url to check if you are affected or not.

Patches

The problem has been patched in Products.isurlinportal.

  • Plone 6.2: upgrade to Products.isurlinportal 4.0.0.
  • Plone 6.1: upgrade to Products.isurlinportal 3.1.0.
  • Plone 6.0: upgrade to Products.isurlinportal 2.1.0.
  • Older Plone versions don't have security support anymore.

Workarounds

There are no known workarounds.

Background

When you are anonymous and land on a page that requires a login, Plone sends you to the login form. After successful login, Plone redirects you back to the page you came from. Various other forms and pages have a similar system.

This could get abused by an attacker to trick Plone into redirecting to a different website. Plone checks the page that would be redirected to. It is only accepted if it is within the Plone site domain or part of a different trusted domain.

The main check for this is in the Products.isurlinportal package. A lot of potentially malicious urls are already safely rejected, but here a loop hole was found.

This was discovered during a penetration test by the CERT-EU Team.

🎯 Affected products5

  • pip/Products.isurlinportal:= 4.0.0a1
  • pip/Products.isurlinportal:>= 3.0.0, < 3.1.0
  • pip/Products.isurlinportal:< 2.1.0
  • pip/products-isurlinportal:>= 0, < 2.1.0
  • pip/products-isurlinportal:>= 3.0.0, < 3.1.0

🔗 References (4)