PyPI package
zope
pkg:pypi/zope
Vulnerabilities (17)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-51734 | Hig | — | < 5.11.1 | 5.11.1 | Nov 4, 2024 | Zope AccessControl provides a general security framework for use in Zope. In affected versions anonymous users can delete the user data maintained by an `AccessControl.userfolder.UserFolder` which may prevent any privileged access. This problem has been fixed in version 7.2. User | |
| CVE-2023-44389 | — | >= 4.0.0, < 4.8.11 | 4.8.11 | Oct 4, 2023 | Zope is an open-source web application server. The title property, available on most Zope objects, can be used to store script code that is executed while viewing the affected object in the Zope Management Interface (ZMI). All versions of Zope 4 and Zope 5 are affected. Patches w | ||
| CVE-2023-42458 | — | < 4.8.10 | 4.8.10 | Sep 21, 2023 | Zope is an open-source web application server. Prior to versions 4.8.10 and 5.8.5, there is a stored cross site scripting vulnerability for SVG images. Note that an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To expl | ||
| CVE-2023-41050 | — | < 4.8.9 | 4.8.9 | Sep 6, 2023 | AccessControl provides a general security framework for use in Zope. Python's "format" functionality allows someone controlling the format string to "read" objects accessible (recursively) via attribute access and subscription from accessible objects. Those attribute accesses and | ||
| CVE-2021-32811 | — | >= 4.0, < 4.6.3 | 4.6.3 | Aug 2, 2021 | Zope is an open-source web application server. Zope versions prior to versions 4.6.3 and 5.3 have a remote code execution security issue. In order to be affected, one must use Python 3 for one's Zope deployment, run Zope 4 below version 4.6.3 or Zope 5 below version 5.3, and have | ||
| CVE-2021-32674 | — | >= 5.0, < 5.2.1 | 5.2.1 | Jun 8, 2021 | Zope is an open-source web application server. This advisory extends the previous advisory at https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36 with additional cases of TAL expression traversal vulnerabilities. Most Python modules are not available fo | ||
| CVE-2021-32633 | — | < 4.6 | 4.6 | May 21, 2021 | Zope is an open-source web application server. In Zope versions prior to 4.6 and 5.2, users can access untrusted modules indirectly through Python modules that are available for direct use. By default, only users with the Manager role can add or edit Zope Page Templates through t | ||
| CVE-2011-4924 | — | >= 3.1.1, < 3.7.3 | 3.7.3 | Nov 25, 2019 | Cross-site scripting (XSS) vulnerability in Zope 2.8.x before 2.8.12, 2.9.x before 2.9.12, 2.10.x before 2.10.11, 2.11.x before 2.11.6, and 2.12.x before 2.12.3, 3.1.1 through 3.4.1. allows remote attackers to inject arbitrary web script or HTML via vectors related to the way err | ||
| CVE-2010-3198 | — | >= 2.10.0, < 2.10.12 | 2.10.12 | Sep 8, 2010 | ZServer in Zope 2.10.x before 2.10.12 and 2.11.x before 2.11.7 allows remote attackers to cause a denial of service (crash of worker threads) via vectors that trigger uncaught exceptions. | ||
| CVE-2002-0688 | — | >= 2.4.0, < 2.6.0 | 2.6.0 | Jul 23, 2002 | ZCatalog plug-in index support capability for Zope 2.4.0 through 2.5.1 allows anonymous users and untrusted code to bypass access restrictions and call arbitrary methods of catalog indexes. | ||
| CVE-2002-0687 | — | >= 2.0.0, < 2.4.4b2 | 2.4.4b2 | Jul 23, 2002 | The "through the web code" capability for Zope 2.0 through 2.5.1 b1 allows untrusted users to shut down the Zope server via certain headers. | ||
| CVE-2002-0170 | — | >= 2.2.0, < 2.4.4 | 2.4.4 | Apr 22, 2002 | Zope 2.2.0 through 2.5.1 does not properly verify the access for objects with proxy roles, which could allow some users to access documents in violation of the intended configuration. | ||
| CVE-2000-1212 | — | >= 2.2.0, <= 2.2.4 | — | Dec 18, 2000 | Zope 2.2.0 through 2.2.4 does not properly protect a data updating method on Image and File objects, which allows attackers with DTML editing privileges to modify the raw data of these objects. | ||
| CVE-2000-1211 | — | >= 2.2.0, <= 2.2.4 | — | Dec 16, 2000 | Zope 2.2.0 through 2.2.4 does not properly perform security registration for legacy names of object constructors such as DTML method objects, which could allow attackers to perform unauthorized activities. | ||
| CVE-2000-0725 | — | < 2.2.1 | 2.2.1 | Oct 20, 2000 | Zope before 2.2.1 does not properly restrict access to the getRoles method, which allows users who can edit DTML to add or modify roles by modifying the roles list that is included in a request. | ||
| CVE-2000-0483 | — | <= 2.2 | — | Jun 15, 2000 | The DocumentTemplate package in Zope 2.2 and earlier allows a remote attacker to modify DTMLDocuments or DTMLMethods without authorization. | ||
| CVE-2000-0062 | — | >= 2.2.0, <= 2.2.4 | — | Jan 4, 2000 | The DTML implementation in the Z Object Publishing Environment (Zope) allows remote attackers to conduct unauthorized activities. |
- affected < 5.11.1fixed 5.11.1
Zope AccessControl provides a general security framework for use in Zope. In affected versions anonymous users can delete the user data maintained by an `AccessControl.userfolder.UserFolder` which may prevent any privileged access. This problem has been fixed in version 7.2. User
- CVE-2023-44389Oct 4, 2023affected >= 4.0.0, < 4.8.11fixed 4.8.11
Zope is an open-source web application server. The title property, available on most Zope objects, can be used to store script code that is executed while viewing the affected object in the Zope Management Interface (ZMI). All versions of Zope 4 and Zope 5 are affected. Patches w
- CVE-2023-42458Sep 21, 2023affected < 4.8.10fixed 4.8.10
Zope is an open-source web application server. Prior to versions 4.8.10 and 5.8.5, there is a stored cross site scripting vulnerability for SVG images. Note that an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To expl
- CVE-2023-41050Sep 6, 2023affected < 4.8.9fixed 4.8.9
AccessControl provides a general security framework for use in Zope. Python's "format" functionality allows someone controlling the format string to "read" objects accessible (recursively) via attribute access and subscription from accessible objects. Those attribute accesses and
- CVE-2021-32811Aug 2, 2021affected >= 4.0, < 4.6.3fixed 4.6.3
Zope is an open-source web application server. Zope versions prior to versions 4.6.3 and 5.3 have a remote code execution security issue. In order to be affected, one must use Python 3 for one's Zope deployment, run Zope 4 below version 4.6.3 or Zope 5 below version 5.3, and have
- CVE-2021-32674Jun 8, 2021affected >= 5.0, < 5.2.1fixed 5.2.1
Zope is an open-source web application server. This advisory extends the previous advisory at https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36 with additional cases of TAL expression traversal vulnerabilities. Most Python modules are not available fo
- CVE-2021-32633May 21, 2021affected < 4.6fixed 4.6
Zope is an open-source web application server. In Zope versions prior to 4.6 and 5.2, users can access untrusted modules indirectly through Python modules that are available for direct use. By default, only users with the Manager role can add or edit Zope Page Templates through t
- CVE-2011-4924Nov 25, 2019affected >= 3.1.1, < 3.7.3fixed 3.7.3
Cross-site scripting (XSS) vulnerability in Zope 2.8.x before 2.8.12, 2.9.x before 2.9.12, 2.10.x before 2.10.11, 2.11.x before 2.11.6, and 2.12.x before 2.12.3, 3.1.1 through 3.4.1. allows remote attackers to inject arbitrary web script or HTML via vectors related to the way err
- CVE-2010-3198Sep 8, 2010affected >= 2.10.0, < 2.10.12fixed 2.10.12
ZServer in Zope 2.10.x before 2.10.12 and 2.11.x before 2.11.7 allows remote attackers to cause a denial of service (crash of worker threads) via vectors that trigger uncaught exceptions.
- CVE-2002-0688Jul 23, 2002affected >= 2.4.0, < 2.6.0fixed 2.6.0
ZCatalog plug-in index support capability for Zope 2.4.0 through 2.5.1 allows anonymous users and untrusted code to bypass access restrictions and call arbitrary methods of catalog indexes.
- CVE-2002-0687Jul 23, 2002affected >= 2.0.0, < 2.4.4b2fixed 2.4.4b2
The "through the web code" capability for Zope 2.0 through 2.5.1 b1 allows untrusted users to shut down the Zope server via certain headers.
- CVE-2002-0170Apr 22, 2002affected >= 2.2.0, < 2.4.4fixed 2.4.4
Zope 2.2.0 through 2.5.1 does not properly verify the access for objects with proxy roles, which could allow some users to access documents in violation of the intended configuration.
- CVE-2000-1212Dec 18, 2000affected >= 2.2.0, <= 2.2.4
Zope 2.2.0 through 2.2.4 does not properly protect a data updating method on Image and File objects, which allows attackers with DTML editing privileges to modify the raw data of these objects.
- CVE-2000-1211Dec 16, 2000affected >= 2.2.0, <= 2.2.4
Zope 2.2.0 through 2.2.4 does not properly perform security registration for legacy names of object constructors such as DTML method objects, which could allow attackers to perform unauthorized activities.
- CVE-2000-0725Oct 20, 2000affected < 2.2.1fixed 2.2.1
Zope before 2.2.1 does not properly restrict access to the getRoles method, which allows users who can edit DTML to add or modify roles by modifying the roles list that is included in a request.
- CVE-2000-0483Jun 15, 2000affected <= 2.2
The DocumentTemplate package in Zope 2.2 and earlier allows a remote attacker to modify DTMLDocuments or DTMLMethods without authorization.
- CVE-2000-0062Jan 4, 2000affected >= 2.2.0, <= 2.2.4
The DTML implementation in the Z Object Publishing Environment (Zope) allows remote attackers to conduct unauthorized activities.