CVE-2016-7147 Plone CVE debrief

Who should care

Plone administrators, security teams, and developers maintaining affected Plone instances should care, especially where Zope ZMI search or related admin pages are used.

Technical summary

The vulnerability is a CWE-79 XSS issue in the manage_findResult component of Plone's search feature in Zope ZMI. The supplied NVD vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, which indicates network reachability and user interaction are required, with low confidentiality and integrity impact and no availability impact. The source description attributes the flaw to an incomplete fix for CVE-2016-7140 and lists vulnerable Plone versions up to 4.3.11 and 5.0.6.

Defensive priority

Medium. The issue is remotely reachable and can affect admin-facing workflows, but it requires user interaction and is scored 6.1 rather than high severity.

Recommended defensive actions

• Upgrade affected Plone installations to 4.3.12, 5.0.7, or a later fixed release.
• Review and apply the Plone hotfix/advisory referenced in the 20170117 security update.
• Audit any custom templates, search-result views, or ZMI integrations that render untrusted data in the search flow.
• Verify that the affected search path no longer reflects user-controlled input into HTML or JavaScript contexts after patching.

Evidence notes

This debrief is based on the supplied NVD record, which provides the vulnerability description, CVSS vector, CWE-79 classification, affected version entries, and reference list. The vendor advisory links on plone.org are the primary remediation references, and the description explicitly states the vulnerability exists because of an incomplete fix for CVE-2016-7140. No exploit code, weaponized reproduction, or unsupported impact claims are included.

Official resources