SCA: security update for Products.isurlinportal (GHSA-q3m9-9fj2-mfwr)

high Tenable Self-Hosted Container Security Plugin ID 417842

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Products.isurlinportal is a replacement for isURLInPortal method in Plone. Versions of
Products.isurlinportal prior to 1.2.0 have an Open Redirect vulnerability. Various parts of Plone use the
'is url in portal' check for security, mostly to see if it is safe to redirect to a url. A url like
`https://example.org` is not in the portal. The url `https:example.org` without slashes is considered to
be in the portal. When redirecting, some browsers go to `https://example.org`, others give an error.
Attackers may use this to redirect victims to their site, especially as part of a phishing attack. The
problem has been patched in Products.isurlinportal 1.2.0. (CVE-2021-32806)

See Also

https://github.com/advisories/GHSA-q3m9-9fj2-mfwr

Plugin Details

Severity: High

ID: 417842

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 8.67

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2021-32806

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 7.1

Threat Score: 4.9

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 8/5/2021

Vulnerability Publication Date: 8/2/2021

Reference Information

CVE: CVE-2021-32806

cwe: CWE-601