MidnightBSD

Advisories for zope

CVE-2000-0062 HIGH

The DTML implementation in the Z Object Publishing Environment (Zope) allows remote attackers to conduct unauthorized activities.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
zope zope 1.10.3
zope zope 2.1.1
CVE-2000-0483 HIGH

The DocumentTemplate package in Zope 2.2 and earlier allows a remote attacker to modify DTMLDocuments or DTMLMethods without authorization.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
zope zope 2.1.7
zope zope 1.10.3
redhat linux_powertools 6.1
redhat linux_powertools 6.2
zope zope 2.1.1
CVE-2000-0725 HIGH

Zope before 2.2.1 does not properly restrict access to the getRoles method, which allows users who can edit DTML to add or modify roles by modifying the roles list that is included in a request.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
zope zope 2.1.7
zope zope 1.10.3
zope zope 2.1.1
zope zope 2.2_beta1
CVE-2000-1211 HIGH

Zope 2.2.0 through 2.2.4 does not properly perform security registration for legacy names of object constructors such as DTML method objects, which could allow attackers to perform unauthorized activities.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
zope zope 2.2.0b3
zope zope 2.2.0b2
zope zope 2.2.1
zope zope 2.2.3
zope zope 2.2.0
zope zope 2.2.0a1
zope zope 2.2.0b4
zope zope 2.2.0b1
zope zope 2.2.1b1
zope zope 2.2.2
zope zope 2.2.4
CVE-2000-1212 MEDIUM

Zope 2.2.0 through 2.2.4 does not properly protect a data updating method on Image and File objects, which allows attackers with DTML editing privileges to modify the raw data of these objects.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
zope zope 2.2.0b3
zope zope 2.2.0b2
zope zope 2.2.1
zope zope 2.2.3
zope zope 2.2.0
zope zope 2.2.0a1
zope zope 2.2.0b4
zope zope 2.2.0b1
zope zope 2.2.1b1
zope zope 2.2.2
zope zope 2.2.4
CVE-2001-0128 HIGH

Zope before 2.2.4 does not properly compute local roles, which could allow users to bypass specified access restrictions and gain privileges.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
conectiva linux 5.0
conectiva linux 6.0
mandrakesoft mandrake_linux 7.2
redhat linux 6.2
redhat linux_powertools 6.2
freebsd freebsd 6.2
conectiva linux 4.2
redhat linux 6.1
redhat linux 7.0
conectiva linux 5.1
debian debian_linux 2.2
mandrakesoft mandrake_linux 7.1
redhat linux_powertools 6.1
zope zope *
redhat linux_powertools 7.0
CVE-2001-0567 MEDIUM

Digital Creations Zope 2.3.2 and earlier allows a local attacker to gain additional privileges via the changing of ZClass permission mappings for objects and methods in the ZClass.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
zope zope 7.1
zope zope 7.2
CVE-2001-0568 LOW

Digital Creations Zope 2.3.1 b1 and earlier allows a local attacker (Zope user) with through-the-web scripting capabilities to alter ZClasses class attributes.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
zope zope *
CVE-2001-0569 LOW

Digital Creations Zope 2.3.1 b1 and earlier contains a problem in the method return values related to the classes (1) ObjectManager, (2) PropertyManager, and (3) PropertySheet.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
zope zope *
CVE-2001-1227 HIGH

Zope before 2.2.4 allows partially trusted users to bypass security controls for certain methods by accessing the methods through the fmt attribute of dtml-var tags.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
zope zope 2.2.5
zope zope 2.2.1
zope zope 2.2.3
zope zope 2.2.0
zope zope 2.2.2
zope zope 2.2.4
CVE-2001-1278 HIGH

Zope before 2.2.4 allows partially trusted users to bypass security controls for certain methods by accessing the methods through the fmt attribute of dtml-var tags.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
zope zope 2.2.1
zope zope 2.2.3
zope zope 2.2.0
zope zope 2.2.2
zope zope 2.2.4
CVE-2002-0170 HIGH

Zope 2.2.0 through 2.5.1 does not properly verify the access for objects with proxy roles, which could allow some users to access documents in violation of the intended configuration.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
zope zope 2.2.5
zope zope 2.5.0
zope zope 2.2.1
zope zope 2.3.3
zope zope 2.4.0
zope zope 2.4.4b1
zope zope 2.4.2
zope zope 2.2.4
zope zope 2.4.3
zope zope 2.3.1
zope zope 2.2.3
zope zope 2.2.0
zope zope 2.3.2
zope zope 2.5.1b1
zope zope 2.3.0
zope zope 2.4.1
zope zope 2.2.2
CVE-2002-0687 MEDIUM

The "through the web code" capability for Zope 2.0 through 2.5.1 b1 allows untrusted users to shut down the Zope server via certain headers.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
zope zope *
CVE-2002-0688 HIGH

ZCatalog plug-in index support capability for Zope 2.4.0 through 2.5.1 allows anonymous users and untrusted code to bypass access restrictions and call arbitrary methods of catalog indexes.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
zope zope 2.5.1
zope zope 2.4.0
CVE-2005-3323 HIGH

docutils in Zope 2.6, 2.7 before 2.7.8, and 2.8 before 2.8.2 allows remote attackers to include arbitrary files via include directives in RestructuredText functionality.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
debian debian_linux 3.0
zope zope 2.6
zope zope *
debian debian_linux 3.1
CVE-2006-3458 LOW

Zope 2.7.0 to 2.7.8, 2.8.0 to 2.8.7, and 2.9.0 to 2.9.3 (Zope2) does not disable the "raw" command when providing untrusted users with restructured text (reStructuredText) functionality from docutils, which allows local users to read arbitrary files.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
zope zope 2.7.4
zope zope 2.7.5
zope zope 2.8.7
zope zope 2.7.6
zope zope 2.8.5
zope zope 2.9.1
zope zope 2.8.2
zope zope 2.7.0
zope zope 2.9.0
zope zope 2.7.7
zope zope 2.8.6
zope zope 2.9.2
zope zope 2.8.4
zope zope 2.7.1
zope zope 2.8.1
zope zope 2.7.3
zope zope 2.7.2
zope zope 2.8.0
zope zope 2.7.8
zope zope 2.9.3
zope zope 2.8.3
CVE-2009-5145 MEDIUM

Cross-site scripting (XSS) vulnerability in ZMI pages that use the manage_tabs_message in Zope 2.11.4, 2.11.2, 2.10.9, 2.10.7, 2.10.6, 2.10.5, 2.10.4, 2.10.2, 2.10.1, 2.12.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zope zope 2.11.2
zope zope 2.10.9
zope zope 2.10.5
zope zope 2.10.1
zope zope 2.10.7
zope zope 2.10.4
zope zope 2.11.4
zope zope 2.10.2
zope zope 2.10.6
zope zope 2.12.0
CVE-2010-1104 MEDIUM

Cross-site scripting (XSS) vulnerability in Zope 2.8.x before 2.8.12, 2.9.x before 2.9.12, 2.10.x before 2.10.11, 2.11.x before 2.11.6, and 2.12.x before 2.12.3 allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zope zope 2.10.5
zope zope 2.8.7
zope zope 2.8.2
zope zope 2.8
zope zope 2.8.9.1
zope zope 2.11.0
zope zope 2.10.0-b2
zope zope 2.10.3
zope zope 2.8.4
zope zope 2.11.2
zope zope 2.11.5
zope zope 2.8.1
zope zope 2.10.2
zope zope 2.8.0
zope zope 2.11.3
zope zope 2.8.0-a2
zope zope 2.8.5
zope zope 2.9.1
zope zope 2.8.0-b1
zope zope 2.8.1-b1
zope zope 2.9.8
zope zope 2.10.8
zope zope 2.10.0-c1
zope zope 2.10.0-b1
zope zope 2.10.0-final
zope zope 2.9.2
zope zope 2.8.9
zope zope 2.8.0-a1
zope zope 2.10.10
zope zope 2.12.1
zope zope 2.10.3-final
zope zope 2.8.0-b2
zope zope 2.11.0b1
zope zope 2.8.8
zope zope 2.8.1-final
zope zope 2.12.2
zope zope 2.10.2-b1
zope zope 2.11.1
zope zope 2.10.6
zope zope 2.12.0
zope zope 2.8.3
zope zope 2.9.0-b1
zope zope 2.9.11
zope zope 2.8.0-final
zope zope 2.8.6
zope zope 2.10.2-final
zope zope 2.9.5
zope zope 2.11.0a1
zope zope 2.11.0c1
zope zope 2.8.11
zope zope 2.9.9
zope zope 2.9.4
zope zope 2.9.3
zope zope 2.10.9
zope zope 2.9.0-b2
zope zope 2.9.6
zope zope 2.11.4
zope zope 2.9.0
zope zope 2.10.4-final
zope zope 2.9.7
zope zope 2.10.7
zope zope 2.9.10
zope zope 2.8.10
zope zope 2.10.11
CVE-2010-3198 MEDIUM

ZServer in Zope 2.10.x before 2.10.12 and 2.11.x before 2.11.7 allows remote attackers to cause a denial of service (crash of worker threads) via vectors that trigger uncaught exceptions.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
zope zope 2.10.5
zope zope 2.11.0
zope zope 2.10.0-b2
zope zope 2.10.3
zope zope 2.10.2-final
zope zope 2.11.2
zope zope 2.11.5
zope zope 2.11.6
zope zope 2.11.0a1
zope zope 2.11.0c1
zope zope 2.10.2
zope zope 2.11.3
zope zope 2.10.9
zope zope 2.10.8
zope zope 2.11.4
zope zope 2.10.0-c1
zope zope 2.10.0-b1
zope zope 2.10.0-final
zope zope 2.10.4-final
zope zope 2.10.10
zope zope 2.10.3-final
zope zope 2.10.7
zope zope 2.11.0b1
zope zope 2.10.2-b1
zope zope 2.10.11
zope zope 2.11.1
zope zope 2.10.6
CVE-2010-3495 MEDIUM

Race condition in ZEO/StorageServer.py in Zope Object Database (ZODB) before 3.10.0 allows remote attackers to cause a denial of service (daemon outage) by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected return value of None, an unexpected value of None for the address, or an ECONNABORTED, EAGAIN, or EWOULDBLOCK error, a related issue to CVE-2010-3492.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
zope zodb 3.8.0
zope zodb 3.3.3
zope zodb 3.8.1
zope zodb 3.4.1
zope zodb 3.9.0b4
zope zodb 3.7
zope zodb 3.2.4
zope zodb 2.11.4
zope zodb 2.9.11
zope zodb 2.10.9
zope zodb 3.8.6
zope zodb *
zope zodb 3.6
zope zodb 3.4
zope zodb 3.9.0c1
zope zodb 3.9.0b3
zope zodb 2.8.11
zope zodb 3.9.0b5
zope zodb 3.1
zope zodb 3.9.0b2
zope zodb 3.9.0b1
zope zodb 3.3
zope zodb 3.8.2
zope zodb 3.5
zope zodb 3.2
zope zodb 3.8
zope zodb 3.9.0
zope zodb 3.1.1
CVE-2011-2528 HIGH

Unspecified vulnerability in (1) Zope 2.12.x before 2.12.19 and 2.13.x before 2.13.8, as used in Plone 4.x and other products, and (2) PloneHotfix20110720 for Plone 3.x allows attackers to gain privileges via unspecified vectors, related to a "highly serious vulnerability." NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-0720.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zope zope 2.13.2
plone plone 3.3.4
zope zope 2.12.7
plone plone 3.0
plone plone 3.0.6
plone plone 3.1.6
plone plone 3.2
plone plone 3.0.5
plone plone 3.1.5.1
zope zope 2.13.5
plone plone 3.1.4
zope zope 2.12.17
zope zope 2.13.7
plone plone 4.0.2
plone plone 3.0.3
zope zope 2.12.18
plone plone 3.3
plone plone_hotfix_20110720 *
plone plone 3.1.7
plone plone 4.0.3
zope zope 2.12.14
zope zope 2.13.3
zope zope 2.12.1
plone plone 4.0.7
zope zope 2.12.11
zope zope 2.12.6
plone plone 3.2.1
zope zope 2.12.2
zope zope 2.12.0
plone plone 3.3.6
plone plone 3.3.3
plone plone 4.1
zope zope 2.12.5
zope zope 2.13.6
plone plone 4.0.1
zope zope 2.12.16
plone plone 3.0.4
zope zope 2.12.3
plone plone 3.3.2
zope zope 2.12.12
plone plone 3.3.5
plone plone 3.0.2
plone plone 4.0
zope zope 2.12.4
plone plone 3.2.2
zope zope 2.13.0
plone plone 3.1.3
plone plone 3.1
plone plone 3.3.1
plone plone 4.0.5
zope zope 2.13.1
plone plone 4.0.4
zope zope 2.12.15
plone plone 3.1.2
zope zope 2.12.10
plone plone 3.0.1
plone plone 3.1.1
zope zope 2.12.9
zope zope 2.13.4
plone plone 4.0.8
plone plone 4.0.6.1
plone plone 3.2.3
zope zope 2.12.8
zope zope 2.12.13
CVE-2011-3587 HIGH

Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary commands via vectors related to the p_ class in OFS/misc_.py and the use of Python modules.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
plone plone 4.1
zope zope 2.13.2
plone plone 4.2a2
zope zope 2.12.5
zope zope 2.13.6
plone plone 4.0.1
zope zope 2.12.7
zope zope 2.12.16
plone plone 4.2a1
zope zope 2.12.3
zope zope 2.12.12
zope zope 2.13.9
plone plone 4.0
zope zope 2.12.4
zope zope 2.13.10
zope zope 2.13.5
zope zope 2.13.0
zope zope 2.12.17
zope zope 2.12.20
zope zope 2.13.7
plone plone 4.0.5
plone plone 4.0.2
plone plone 4.0.9
zope zope 2.12.18
zope zope 2.13.1
plone plone 4.2
plone plone 4.0.4
zope zope 2.12.15
zope zope 2.12.10
plone plone 4.0.3
zope zope 2.12.9
zope zope 2.12.14
zope zope 2.13.4
zope zope 2.13.8
zope zope 2.13.3
plone plone 4.0.8
zope zope 2.12.1
plone plone 4.0.7
plone plone 4.0.6.1
zope zope 2.12.11
zope zope 2.12.6
zope zope 2.12.19
zope zope 2.12.2
zope zope 2.12.8
zope zope 2.12.13
zope zope 2.12.0
CVE-2012-5486 MEDIUM

ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
plone plone 4.2.0.1
zope zope 2.7.5
plone plone 1.0.2
zope zope 2.6.4
zope zope 2.7.6
plone plone 3.3.4
zope zope 2.11.0
plone plone 3.0
plone plone 3.0.6
plone plone 1.0.4
plone plone 3.1.6
plone plone 2.5.5
plone plone 2.0.1
zope zope 2.10.3
plone plone 1.0.6
plone plone 3.2
plone plone 3.0.5
zope zope 2.8.4
zope zope 2.11.2
plone plone 2.1
zope zope 2.8.1
plone plone 2.1.3
plone plone 3.1.5.1
plone plone 4.2.1
plone plone 2.1.2
plone plone 3.1.4
plone plone 4.1.4
zope zope 2.7.8
zope zope 2.11.3
plone plone 4.0.2
plone plone 3.0.3
plone plone 3.3
zope zope 2.10.8
plone plone 3.1.7
plone plone 2.5.3
plone plone 4.0.3
zope zope 2.9.2
plone plone 4.3
plone plone 4.2.1.1
zope zope 2.7.3
zope zope 2.8.8
plone plone 1.0.1
plone plone 3.2.1
zope zope 2.11.1
plone plone 2.0.2
plone plone 3.3.3
plone plone 4.1
plone plone 2.1.4
zope zope 2.7.0
plone plone 4.0.1
plone plone 2.5.1
zope zope 2.6.1
zope zope 2.13.18
plone plone 3.0.4
plone plone 4.1.6
zope zope 2.8.6
plone plone 2.0.4
plone plone 3.3.2
zope zope 2.9.5
plone plone 3.3.5
plone plone 3.0.2
plone plone 4.0
plone plone 3.2.2
plone plone 2.0.3
zope zope 2.9.4
zope zope 2.9.3
plone plone 3.1.3
plone plone 3.1
zope zope 2.7.4
zope zope 2.5.1
plone plone 3.3.1
plone plone 4.0.5
plone plone 4.2
plone plone 4.0.4
zope zope 2.9.6
plone plone 2.0.5
plone plone 3.1.2
plone plone 4.1.5
plone plone 3.0.1
plone plone *
plone plone 2.0
plone plone 1.0.3
zope zope 2.7.7
plone plone 3.1.1
plone plone 1.0.5
plone plone 1.0
plone plone 2.5.2
plone plone 2.5
plone plone 2.5.4
zope zope 2.9.7
plone plone 4.0.6.1
plone plone 3.2.3
plone plone 2.1.1
CVE-2012-6661 MEDIUM

Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, does not reseed the pseudo-random number generator (PRNG), which makes it easier for remote attackers to guess the value via unspecified vectors. NOTE: this issue was SPLIT from CVE-2012-5508 due to different vulnerability types (ADT2).

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
plone plone 1.0.2
plone plone 3.3.4
plone plone 3.0
plone plone 3.0.6
plone plone 1.0.4
plone plone 3.1.6
plone plone 2.5.5
plone plone 2.0.1
plone plone 1.0.6
plone plone 3.2
plone plone 3.0.5
plone plone 2.1
plone plone 2.1.3
plone plone 3.1.5.1
plone plone 4.2.1
plone plone 2.1.2
plone plone 3.1.4
plone plone 4.1.4
plone plone 4.0.2
plone plone 3.0.3
plone plone 3.3
plone plone 3.1.7
plone plone 2.5.3
plone plone 4.0.3
plone plone 4.3
plone plone 1.0.1
plone plone 3.2.1
zope zope *
plone plone 2.0.2
plone plone 3.3.3
plone plone 4.1
plone plone 2.1.4
plone plone 4.0.1
plone plone 2.5.1
plone plone 3.0.4
plone plone 4.1.6
plone plone 2.0.4
plone plone 3.3.2
plone plone 3.3.5
plone plone 3.0.2
plone plone 4.0
plone plone 3.2.2
plone plone 2.0.3
plone plone 3.1.3
plone plone 3.1
plone plone 3.3.1
plone plone 4.0.5
plone plone 4.2
plone plone 4.0.4
plone plone 2.0.5
plone plone 3.1.2
plone plone 4.1.5
plone plone 3.0.1
plone plone *
plone plone 2.0
plone plone 1.0.3
plone plone 3.1.1
plone plone 1.0.5
plone plone 1.0
plone plone 2.5.2
plone plone 2.5
plone plone 2.5.4
plone plone 4.0.6.1
plone plone 3.2.3
plone plone 2.1.1
CVE-2015-7293 MEDIUM

Multiple cross-site request forgery (CSRF) vulnerabilities in Zope Management Interface 4.3.7 and earlier, and Plone before 5.x.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
plone plone 4.3.9
plone plone 3.3.6
plone plone 3.3.3
plone plone 4.1
plone plone 4.3.7
plone plone 3.3.4
plone plone 4.3.5
plone plone 4.0.1
plone plone 4.2.6
plone plone 4.3.1
plone plone 4.3.8
plone plone 4.1.6
plone plone 4.3.4
plone plone 4.1.2
plone plone 3.3.2
plone plone 3.3.5
plone plone 4.0
plone plone 4.2.5
plone plone 4.3.2
plone plone 4.1.1
plone plone 4.2.1
plone plone 4.2.3
plone plone 4.1.4
plone plone 4.3.11
plone plone 3.3.1
plone plone 4.0.5
plone plone 4.0.2
plone plone 4.2.4
plone plone 4.0.9
plone plone 4.2.7
plone plone 4.0.10
plone plone 4.2
plone plone 4.2.2
plone plone 4.3.6
plone plone 4.0.4
plone plone 3.3
plone plone 4.3.3
plone plone 4.3.10
plone plone 4.1.5
plone plone 4.1.3
plone plone 4.0.3
plone plone 4.3
plone plone 4.0.8
plone plone 4.0.7
zope zope_management_interface *
plone plone 4.3.12
plone plone 4.3.14
CVE-2021-21336 MEDIUM

Products.PluggableAuthService is a pluggable Zope authentication and authorization framework. In Products.PluggableAuthService before version 2.6.0 there is an information disclosure vulnerability - everyone can list the names of roles defined in the ZODB Role Manager plugin if the site uses this plugin. The problem has been fixed in version 2.6.0. Depending on how you have installed Products.PluggableAuthService, you should change the buildout version pin to 2.6.0 and re-run the buildout, or if you used pip simply do `pip install "Products.PluggableAuthService>=2.6.0"`.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
zope products.pluggableauthservice *
plone plone *
CVE-2021-21337 MEDIUM

Products.PluggableAuthService is a pluggable Zope authentication and authorization framework. In Products.PluggableAuthService before version 2.6.0 there is an open redirect vulnerability. A maliciously crafted link to the login form and login functionality could redirect the browser to a different website. The problem has been fixed in version 2.6.1. Depending on how you have installed Products.PluggableAuthService, you should change the buildout version pin to `2.6.1` and re-run the buildout, or if you used `pip` simply do `pip install "Products.PluggableAuthService>=2.6.1".

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
security-advisories@github.com 5.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N 2.1 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-601,

Products Affected

Vendor Product Version
zope products.pluggableauthservice *
CVE-2021-21360 MEDIUM

Products.GenericSetup is a mini-framework for expressing the configured state of a Zope Site as a set of filesystem artifacts. In Products.GenericSetup before version 2.1.1 there is an information disclosure vulnerability - anonymous visitors may view log and snapshot files generated by the Generic Setup Tool. The problem has been fixed in version 2.1.1. Depending on how you have installed Products.GenericSetup, you should change the buildout version pin to 2.1.1 and re-run the buildout, or if you used pip simply do pip install `"Products.GenericSetup>=2.1.1"`.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
zope products.genericsetup *
CVE-2021-32633 MEDIUM

Zope is an open-source web application server. In Zope versions prior to 4.6 and 5.2, users can access untrusted modules indirectly through Python modules that are available for direct use. By default, only users with the Manager role can add or edit Zope Page Templates through the web, but sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk from this vulnerability. The problem has been fixed in Zope 5.2 and 4.6. As a workaround, a site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 6.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N 1.6 5.2
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,CWE-22,

Products Affected

Vendor Product Version
plone plone *
zope zope *
CVE-2021-32674 MEDIUM

Zope is an open-source web application server. This advisory extends the previous advisory at https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36 with additional cases of TAL expression traversal vulnerabilities. Most Python modules are not available for using in TAL expressions that you can add through-the-web, for example in Zope Page Templates. This restriction avoids file system access, for example via the 'os' module. But some of the untrusted modules are available indirectly through Python modules that are available for direct use. By default, you need to have the Manager role to add or edit Zope Page Templates through the web. Only sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk. The problem has been fixed in Zope 5.2.1 and 4.6.1. The workaround is the same as for https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36: A site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,CWE-22,

Products Affected

Vendor Product Version
zope zope *
CVE-2021-32807 MEDIUM

The module `AccessControl` defines security policies for Python code used in restricted code within Zope applications. Restricted code is any code that resides in Zope's object database, such as the contents of `Script (Python)` objects. The policies defined in `AccessControl` severely restrict access to Python modules and only exempt a few that are deemed safe, such as Python's `string` module. However, full access to the `string` module also allows access to the class `Formatter`, which can be overridden and extended within `Script (Python)` in a way that provides access to other unsafe Python libraries. Those unsafe Python libraries can be used for remote code execution. By default, you need to have the admin-level Zope "Manager" role to add or edit `Script (Python)` objects through the web. Only sites that allow untrusted users to add/edit these scripts through the web - which would be a very unusual configuration to begin with - are at risk. The problem has been fixed in AccessControl 4.3 and 5.2. Only AccessControl versions 4 and 5 are vulnerable, and only on Python 3, not Python 2.7. As a workaround, a site administrator can restrict adding/editing `Script (Python)` objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing these scripts through the web should be restricted to trusted users only. This is the default configuration in Zope.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-915,CWE-1321,

Products Affected

Vendor Product Version
zope accesscontrol *
CVE-2021-32811 MEDIUM

Zope is an open-source web application server. Zope versions prior to versions 4.6.3 and 5.3 have a remote code execution security issue. In order to be affected, one must use Python 3 for one's Zope deployment, run Zope 4 below version 4.6.3 or Zope 5 below version 5.3, and have the optional `Products.PythonScripts` add-on package installed. By default, one must have the admin-level Zope "Manager" role to add or edit Script (Python) objects through the web. Only sites that allow untrusted users to add/edit these scripts through the web are at risk. Zope releases 4.6.3 and 5.3 are not vulnerable. As a workaround, a site administrator can restrict adding/editing Script (Python) objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing these scripts through the web should be restricted to trusted users only. This is the default configuration in Zope.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-915,CWE-1321,

Products Affected

Vendor Product Version
zope accesscontrol *
zope zope *
CVE-2021-33507 MEDIUM

Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthService before 2.6.2, as used in Plone through 5.2.4 and other products, allow Reflected XSS.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
plone plone *
zope zope *
CVE-2021-36089 MEDIUM

Grok 7.6.6 through 9.2.0 has a heap-based buffer overflow in grk::FileFormatDecompress::apply_palette_clr (called from grk::FileFormatDecompress::applyColour).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
zope grok *
CVE-2023-36814

Products.CMFCore are the key framework services for the Zope Content Management Framework (CMF). The use of Python's marshal module to handle unchecked input in a public method on `PortalFolder` objects can lead to an unauthenticated denial of service and crash situation. The code in question is exposed by all portal software built on top of `Products.CMFCore`, such as Plone. All deployments are vulnerable. The code has been fixed in `Products.CMFCore` version 3.2.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
zope products.cmfcore *
CVE-2023-37271

RestrictedPython is a tool that helps to define a subset of the Python language which allows users to provide a program input into a trusted environment. RestrictedPython does not check access to stack frames and their attributes. Stack frames are accessible within at least generators and generator expressions, which are allowed inside RestrictedPython. Prior to versions 6.1 and 5.3, an attacker with access to a RestrictedPython environment can write code that gets the current stack frame in a generator and then walk the stack all the way beyond the RestrictedPython invocation boundary, thus breaking out of the restricted sandbox and potentially allowing arbitrary code execution in the Python interpreter. All RestrictedPython deployments that allow untrusted users to write Python code in the RestrictedPython environment are at risk. In terms of Zope and Plone, this would mean deployments where the administrator allows untrusted users to create and/or edit objects of type `Script (Python)`, `DTML Method`, `DTML Document` or `Zope Page Template`. This is a non-default configuration and likely to be extremely rare. The problem has been fixed in versions 6.1 and 5.3.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 8.4 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L 1.8 6.0

Products Affected

Vendor Product Version
zope restrictedpython *
zope restrictedpython 6.0
CVE-2023-41039

RestrictedPython is a restricted execution environment for Python to run untrusted code. Python's "format" functionality allows someone controlling the format string to "read" all objects accessible through recursive attribute lookup and subscription from objects he can access. This can lead to critical information disclosure. With `RestrictedPython`, the format functionality is available via the `format` and `format_map` methods of `str` (and `unicode`) (accessed either via the class or its instances) and via `string.Formatter`. All known versions of `RestrictedPython` are vulnerable. This issue has been addressed in commit `4134aedcff1` which has been included in the 5.4 and 6.2 releases. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L 1.7 6.0
nvd@nist.gov 7.7 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N 3.1 4.0

Products Affected

Vendor Product Version
zope restrictedpython *
CVE-2023-41050

AccessControl provides a general security framework for use in Zope. Python's "format" functionality allows someone controlling the format string to "read" objects accessible (recursively) via attribute access and subscription from accessible objects. Those attribute accesses and subscriptions use Python's full blown `getattr` and `getitem`, not the policy restricted `AccessControl` variants `_getattr_` and `_getitem_`. This can lead to critical information disclosure. `AccessControl` already provides a safe variant for `str.format` and denies access to `string.Formatter`. However, `str.format_map` is still unsafe. Affected are all users who allow untrusted users to create `AccessControl` controlled Python code and execute it. A fix has been introduced in versions 4.4, 5.8 and 6.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.7 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N 3.1 4.0
security-advisories@github.com 6.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N 2.3 4.0

Products Affected

Vendor Product Version
zope accesscontrol *
zope zope *
CVE-2023-42458

Zope is an open-source web application server. Prior to versions 4.8.10 and 5.8.5, there is a stored cross site scripting vulnerability for SVG images. Note that an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload an image, and then trick a user into following a specially crafted link. Patches are available in Zope 4.8.10 and 5.8.5. As a workaround, make sure the "Add Documents, Images, and Files" permission is only assigned to trusted roles. By default, only the Manager has this permission.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N 1.2 2.5
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
zope zope *
CVE-2023-44389

Zope is an open-source web application server. The title property, available on most Zope objects, can be used to store script code that is executed while viewing the affected object in the Zope Management Interface (ZMI). All versions of Zope 4 and Zope 5 are affected. Patches will be released with Zope versions 4.8.11 and 5.8.6.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N 0.5 2.5
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

Products Affected

Vendor Product Version
zope zope *
CVE-2024-24811

SQLAlchemyDA is a generic database adapter for ZSQL methods. A vulnerability found in versions prior to 2.2 allows unauthenticated execution of arbitrary SQL statements on the database to which the SQLAlchemyDA instance is connected. All users are affected. The problem has been patched in version 2.2. There is no workaround for the problem.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
zope sqlalchemyda *
CVE-2024-47532

RestrictedPython is a restricted execution environment for Python to run untrusted code. A user can gain access to protected (and potentially sensible) information indirectly via AttributeError.obj and the string module. The problem will be fixed in version 7.3. As a workaround, If the application does not require access to the module string, it can remove it from RestrictedPython.Utilities.utility_builtins or otherwise do not make it available in the restricted execution environment.

Products Affected

Vendor Product Version
zope restrictedpython *