Products.isurlinportal Open Redirect Vulnerability

An open redirect vulnerability has been identified in the Products.isurlinportal package, which is used as a replacement for the isURLInPortal method in Plone. This vulnerability affects versions prior to 2.1.0, 3.1.0, and 4.0.0. The issue arises when a URL containing multiple forward slashes is used; after logging in, the user may be redirected to an external website. While standard Plone is not affected, customized logins or certain add-ons could introduce this vulnerability.

Impact

Exploitation of this vulnerability could lead to an open redirect, where users are sent to an external website after logging in, potentially allowing for phishing attacks or other malicious activities.

Remediation

Users can upgrade to Products.isurlinportal version 4.0.0 for Plone 6.2, version 3.1.0 for Plone 6.1, or version 2.1.0 for Plone 6.0. For older Plone versions, no security support is available.