CVE-2016-7147

CVE Database · CVE-2016-7147

CVE-2016-7147

· N/AModified

CVSS v3.1

N/A

EPSS

1.34%

Published

Feb 4, 2017

Modified

May 12, 2026

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Cross-site scripting (XSS) vulnerability in the manage_findResult component in the search feature in Zope ZMI in Plone before 4.3.12 and 5.x before 5.0.7 allows remote attackers to inject arbitrary web script or HTML via vectors involving double quotes, as demonstrated by the obj_ids:tokens parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-7140.

Weaknesses (CWE)

CWE-79

Affected Products (57)

plone · plonevulnerable

plone · plone

References (8)

http://www.securityfocus.com/bid/96117

https://plone.org/security/hotfix/20170117

PatchRelease NotesVendor Advisory

https://plone.org/security/hotfix/20170117/non-persistent-xss-in-zope2

Vendor Advisory

https://www.curesec.com/blog/article/blog/Plone-XSS-186.html

PatchThird Party AdvisoryVDB Entry

http://www.securityfocus.com/bid/96117

https://plone.org/security/hotfix/20170117

PatchRelease NotesVendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs