Medium severity6.1NVD Advisory· Published Aug 7, 2017· Updated May 13, 2026

CVE-2009-5145

Description

Cross-site scripting (XSS) vulnerability in ZMI pages that use the manage_tabs_message in Zope 2.11.4, 2.11.2, 2.10.9, 2.10.7, 2.10.6, 2.10.5, 2.10.4, 2.10.2, 2.10.1, 2.12.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
Zope2PyPI	< 2.12.5	2.12.5

Affected products

Zope/Zope10 versions
cpe:2.3:a:zope:zope:2.10.1:*:*:*:*:*:*:*+ 9 more
- cpe:2.3:a:zope:zope:2.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.10.2:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.10.4:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.10.5:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.10.6:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.10.7:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.10.9:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.11.2:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.11.4:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.12.0:*:*:*:*:*:*:*

Patches

2abdf14620f1

LP #490514: preserve tainting when calling into DTML from ZPT.

https://github.com/zopefoundation/ZopeTres SeaverDec 2, 2009via ghsa

commit

3 files changed · +16 −0

doc/CHANGES.rst+2 −0 modified

@@ -60,6 +60,8 @@ Features Added
 Bugs Fixed
 ++++++++++
 
+- LP #490514:  preserve tainting when calling into DTML from ZPT.
+
 - LP #414757: Don't send a request closed event from a cloned request.
 
 - LP #418454: FTP server did not work with Python 2.6.X

src/Products/PageTemplates/tests/testZRPythonExpr.py+12 −0 modified

@@ -39,6 +39,18 @@ def _find_request(td):
 
         result = call_with_ns(_find_request, names)
         self.assertEqual(result, {})
+
+    def test_call_with_request_preserves_tainting(self):
+        from Products.PageTemplates.ZRPythonExpr import call_with_ns
+        class Request(dict):
+            def taintWrapper(self):
+                return {'tainted': 'found'}
+        context = ['context']
+        here = ['here']
+        names = {'context' : context, 'here': here, 'request' : Request()}
+
+        found = call_with_ns(lambda td: td['tainted'], names)
+        self.assertEqual(found, 'found')
  
 def test_suite():
     return unittest.makeSuite(MiscTests)

src/Products/PageTemplates/ZRPythonExpr.py+2 −0 modified

@@ -69,6 +69,8 @@ def call_with_ns(f, ns, arg=1):
     this = ns.get('context', ns.get('here'))
     td.this = this
     request = ns.get('request', {})
+    if hasattr(request, 'taintWrapper'):
+        request = request.taintWrapper()
     td._push(request)
     td._push(InstanceDict(td.this, td))
     td._push(ns)

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

cve.killedkenny.io/cve/CVE-2009-5145nvdThird Party AdvisoryWEB
www.openwall.com/lists/oss-security/2015/03/02/7nvdMailing ListThird Party AdvisoryWEB
www.securityfocus.com/bid/72792/infonvdThird Party AdvisoryVDB Entry
bugs.launchpad.net/zope2/+bug/490514nvdIssue TrackingThird Party AdvisoryWEB
github.com/advisories/GHSA-5r4x-qc7q-vj27ghsaADVISORY
github.com/zopefoundation/Zope/commit/2abdf14620f146857dc8e3ffd2b6a754884c331dnvdThird Party AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2009-5145ghsaADVISORY
security-tracker.debian.org/tracker/CVE-2009-5145/nvdThird Party Advisory
github.com/pypa/advisory-database/tree/main/vulns/zope/PYSEC-2017-148.yamlghsaWEB
security-tracker.debian.org/tracker/CVE-2009-5145ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000