CVE-2011-4924
Description
Cross-site scripting (XSS) vulnerability in Zope 2.8.x before 2.8.12, 2.9.x before 2.9.12, 2.10.x before 2.10.11, 2.11.x before 2.11.6, and 2.12.x before 2.12.3, 3.1.1 through 3.4.1. allows remote attackers to inject arbitrary web script or HTML via vectors related to the way error messages perform sanitization. NOTE: this issue exists because of an incomplete fix for CVE-2010-1104
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting (XSS) vulnerability in Zope 2.8.x-2.12.x and 3.1.1-3.4.1 due to incomplete error message sanitization, allowing arbitrary web script injection.
Vulnerability
Overview CVE-2011-4924 is a cross-site scripting (XSS) vulnerability in Zope versions 2.8.x before 2.8.12, 2.9.x before 2.9.12, 2.10.x before 2.10.11, 2.11.x before 2.11.6, 2.12.x before 2.12.3, and 3.1.1 through 3.4.1. The issue arises from an incomplete fix for CVE-2010-1104, where error messages are not properly sanitized, allowing injection of arbitrary web script or HTML [1][2][3].
Exploitation
An attacker can exploit this vulnerability by tricking a logged-in user into visiting a specially crafted URL. The malicious script executes in the context of the user's Zope session, leveraging the incomplete sanitization of error messages [4]. No authentication is required for the attacker beyond triggering the victim to access the crafted link.
Impact
Successful exploitation allows the attacker to execute arbitrary web script or HTML in the victim's browser, potentially leading to session hijacking, data theft, or other malicious actions [2]. The vulnerability is classified as XSS and can affect any application served by the vulnerable Zope instance.
Mitigation
Patched versions are available: upgrade to Zope 2.8.12, 2.9.12, 2.10.11, 2.11.6, 2.12.3, or later. The fix addresses the incomplete sanitization that was present after CVE-2010-1104 [1][3]. Users unable to upgrade should review workarounds provided by the vendor or apply input validation to error message content.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
zopePyPI | >= 3.1.1, < 3.7.3 | 3.7.3 |
zope2PyPI | < 2.12.22 | 2.12.22 |
zope2PyPI | >= 2.13.0a1, < 2.13.12 | 2.13.12 |
Affected products
3- ghsa-coords2 versions
>= 3.1.1, < 3.7.3+ 1 more
- (no CPE)range: >= 3.1.1, < 3.7.3
- (no CPE)range: < 2.12.22
- zope/zope2, zope3v5Range: 2.8.x before 2.8.12
Patches
2a0655194cb39Prep 2.13.12 release with CVE-2010-1104 fix.
4 files changed · +9 −5
doc/CHANGES.rst+4 −1 modified@@ -5,9 +5,12 @@ This file contains change information for the current Zope release. Change information for previous versions of Zope can be found at http://docs.zope.org/zope2/releases/. -2.13.12 (unreleased) +2.13.12 (2012-01-18) -------------------- +- Prevent a cross-site-scripting attack against the default standard + error message handling. (CVE-2010-1104). + - Use ``in`` operator instead of deprecated ``has_key`` method (which is not implemented by ``OFS.ObjectManager``). This fixes an issue with WebDAV requests for skin objects.
setup.py+1 −1 modified@@ -23,7 +23,7 @@ setup(name='Zope2', - version='2.13.12dev', + version='2.13.12', url='http://zope2.zope.org', license='ZPL 2.1', description='Zope2 application server / web framework',
src/OFS/SimpleItem.py+2 −1 modified@@ -45,6 +45,7 @@ from ExtensionClass import Base from Persistence import Persistent from webdav.Resource import Resource +from webdav.xmltools import escape as xml_escape from zExceptions import Redirect from zExceptions.ExceptionFormatter import format_exception from zope.interface import implements @@ -232,7 +233,7 @@ def raise_standardErrorMessage( 'error_value': error_value, 'error_tb': error_tb, 'error_traceback': error_tb, - 'error_message': error_message, + 'error_message': xml_escape(str(error_message)), 'error_log_url': error_log_url} if getattr(aq_base(s), 'isDocTemp', 0):
src/ZPublisher/tests/exception_handling.txt+2 −2 modified@@ -203,9 +203,9 @@ converts it into zExceptions.NotFound if we are not in debug mode. Traceback (most recent call last): ... HTTPError: HTTP Error 404: Not Found - >>> '<p><strong>Resource not found</strong></p>' in browser.contents + >>> '<p><strong>Resource not found</strong></p>' in browser.contents True - >>> '<p><b>Resource:</b> index_html</p>' in browser.contents + >>> '<p><b>Resource:</b> index_html</p>' in browser.contents True >>> browser.handleErrors = False
37e4ea774accPrep 2.12.22 release with CVE-2010-1104 fix.
4 files changed · +8 −5
doc/CHANGES.rst+3 −1 modified@@ -5,9 +5,11 @@ This file contains change information for the current Zope release. Change information for previous versions of Zope can be found at http://docs.zope.org/zope2/releases/. -2.12.22 (unreleased) +2.12.22 (2012-01-18) -------------------- +- Prevent a cross-site-scripting attack against the default standard + error message handling. (CVE-2010-1104). 2.12.21 (2011-12-12) --------------------
setup.py+1 −1 modified@@ -16,7 +16,7 @@ from setuptools import setup, find_packages, Extension setup(name='Zope2', - version='2.12.22dev', + version='2.12.22', url='http://www.zope.org', license='ZPL 2.1', description='Zope2 application server / web framework',
src/OFS/SimpleItem.py+2 −1 modified@@ -49,6 +49,7 @@ from ExtensionClass import Base from Persistence import Persistent from webdav.Resource import Resource +from webdav.xmltools import escape as xml_escape from zExceptions import Redirect from zExceptions import upgradeException from zExceptions.ExceptionFormatter import format_exception @@ -245,7 +246,7 @@ def raise_standardErrorMessage( 'error_value': error_value, 'error_tb': error_tb, 'error_traceback': error_tb, - 'error_message': error_message, + 'error_message': xml_escape(str(error_message)), 'error_log_url': error_log_url} if getattr(aq_base(s), 'isDocTemp', 0):
src/ZPublisher/tests/exception_handling.txt+2 −2 modified@@ -191,9 +191,9 @@ converts it into zExceptions.NotFound if we are not in debug mode. Traceback (most recent call last): ... HTTPError: HTTP Error 404: Not Found - >>> '<p><strong>Resource not found</strong></p>' in browser.contents + >>> '<p><strong>Resource not found</strong></p>' in browser.contents True - >>> '<p><b>Resource:</b> index_html</p>' in browser.contents + >>> '<p><b>Resource:</b> index_html</p>' in browser.contents True >>> browser.handleErrors = False
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- github.com/advisories/GHSA-vh6g-786f-hxxpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2011-4924ghsaADVISORY
- www.openwall.com/lists/oss-security/2012/01/19/16ghsax_refsource_MISCWEB
- www.openwall.com/lists/oss-security/2012/01/19/17ghsax_refsource_MISCWEB
- www.openwall.com/lists/oss-security/2012/01/19/18ghsax_refsource_MISCWEB
- www.openwall.com/lists/oss-security/2012/01/19/19ghsax_refsource_MISCWEB
- access.redhat.com/security/cve/cve-2011-4924ghsax_refsource_MISCWEB
- bugzilla.redhat.com/show_bug.cgighsax_refsource_MISCWEB
- github.com/zopefoundation/Zope/commit/37e4ea774acc668f6b430a45a6ab1e359710f590ghsaWEB
- github.com/zopefoundation/Zope/commit/a0655194cb39ad88ce3323a3e489927c5f979c44ghsaWEB
- security-tracker.debian.org/tracker/CVE-2011-4924ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.