CVE-2026-28413
📋 TL;DR
This vulnerability in Products.isurlinportal allows attackers to redirect users to external malicious websites after login by manipulating the 'came_from' parameter. It affects Plone installations using vulnerable versions of the Products.isurlinportal package. The issue enables open redirect attacks that could facilitate phishing or credential theft.
💻 Affected Systems
- Plone with Products.isurlinportal package
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Users are redirected to malicious websites that steal credentials, install malware, or perform social engineering attacks after legitimate authentication.
Likely Case
Attackers use the redirect for phishing campaigns, tricking users into visiting fake login pages or malicious sites.
If Mitigated
With proper input validation and URL filtering, the redirect is blocked or users are warned before external navigation.
🎯 Exploit Status
Exploitation requires user interaction (login) but the attack vector is simple URL manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.0, 3.1.0, or 4.0.0
Vendor Advisory: https://github.com/plone/Products.isurlinportal/security/advisories/GHSA-43gx-6gv6-3jcp
Restart Required: Yes
Instructions:
1. Identify current Products.isurlinportal version. 2. Upgrade to 2.1.0, 3.1.0, or 4.0.0 using pip or package manager. 3. Restart Plone instance. 4. Verify the fix by testing the came_from parameter.
🔧 Temporary Workarounds
Input Validation Filter
allAdd middleware or view code to validate and sanitize came_from parameter URLs before processing.
Implement URL validation in Plone authentication views to reject external URLs in came_from parameter
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block URLs with multiple slashes or external domains in came_from parameter
- Monitor authentication logs for suspicious redirect patterns and alert on anomalous came_from values
🔍 How to Verify
Check if Vulnerable:
Test by accessing /login?came_from=////evil.example and checking if redirect occurs after loginCheck Version:
pip show Products.isurlinportal | grep VersionVerify Fix Applied:
After patching, test the same URL and confirm no external redirect occurs📡 Detection & Monitoring
Log Indicators:
- Authentication logs showing came_from parameter with multiple slashes or external domains
- HTTP 302 redirects to external domains after login
Network Indicators:
- Outbound HTTP requests to unexpected domains following Plone authentication
SIEM Query:
source="plone.log" AND (came_from CONTAINS "////" OR came_from CONTAINS "http://" OR came_from CONTAINS "https://")