Foundation
Products
7- Zope5 CVEspypi
- Restrictedpython4 CVEspypi
- Accesscontrol3 CVEspypi
- 1 CVE
- 1 CVE
- Products.CMFCore1 CVEpypi
- 1 CVE
Recent CVEs
16| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-51734 | Hig | 0.57 | — | 0.00 | Nov 4, 2024 | Zope AccessControl provides a general security framework for use in Zope. In affected versions anonymous users can delete the user data maintained by an `AccessControl.userfolder.UserFolder` which may prevent any privileged access. This problem has been fixed in version 7.2.… | ||
| CVE-2024-24811 | Cri | 0.57 | 9.8 | 0.01 | Feb 7, 2024 | SQLAlchemyDA is a generic database adapter for ZSQL methods. A vulnerability found in versions prior to 2.2 allows unauthenticated execution of arbitrary SQL statements on the database to which the SQLAlchemyDA instance is connected. All users are affected. The problem has been… | ||
| CVE-2021-32674 | Hig | 0.50 | 8.8 | 0.02 | Jun 8, 2021 | Zope is an open-source web application server. This advisory extends the previous advisory at https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36 with additional cases of TAL expression traversal vulnerabilities. Most Python modules are not available… | ||
| CVE-2020-26304 | Hig | 0.49 | 7.5 | 0.01 | Oct 26, 2024 | Foundation is a front-end framework. Versions 6.3.3 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, it is unknown if any fixes are available. | ||
| CVE-2023-50053 | Hig | 0.49 | 7.6 | 0.01 | Apr 30, 2024 | An issue in Foundation.app Foundation platform 1.0 allows a remote attacker to obtain sensitive information via the Web3 authentication process of Foundation, the signed message lacks a nonce (random number) | ||
| CVE-2023-37271 | Hig | 0.48 | 8.4 | 0.01 | Jul 11, 2023 | RestrictedPython is a tool that helps to define a subset of the Python language which allows users to provide a program input into a trusted environment. RestrictedPython does not check access to stack frames and their attributes. Stack frames are accessible within at least… | ||
| CVE-2023-41039 | Hig | 0.47 | 8.3 | 0.01 | Aug 30, 2023 | RestrictedPython is a restricted execution environment for Python to run untrusted code. Python's "format" functionality allows someone controlling the format string to "read" all objects accessible through recursive attribute lookup and subscription from objects he can access.… | ||
| CVE-2025-22153 | Hig | 0.44 | 7.9 | 0.00 | Jan 23, 2025 | RestrictedPython is a tool that helps to define a subset of the Python language which allows to provide a program input into a trusted environment. Via a type confusion bug in versions of the CPython interpreter starting in 3.11 and prior to 3.13.2 when using `try/except*`,… | ||
| CVE-2023-36814 | Hig | 0.42 | 7.5 | 0.01 | Jul 3, 2023 | Products.CMFCore are the key framework services for the Zope Content Management Framework (CMF). The use of Python's marshal module to handle unchecked input in a public method on `PortalFolder` objects can lead to an unauthenticated denial of service and crash situation. The… | ||
| CVE-2021-32811 | Hig | 0.42 | 7.5 | 0.02 | Aug 2, 2021 | Zope is an open-source web application server. Zope versions prior to versions 4.6.3 and 5.3 have a remote code execution security issue. In order to be affected, one must use Python 3 for one's Zope deployment, run Zope 4 below version 4.6.3 or Zope 5 below version 5.3, and… | ||
| CVE-2023-41050 | Med | 0.37 | 6.8 | 0.01 | Sep 6, 2023 | AccessControl provides a general security framework for use in Zope. Python's "format" functionality allows someone controlling the format string to "read" objects accessible (recursively) via attribute access and subscription from accessible objects. Those attribute accesses… | ||
| CVE-2021-32633 | Med | 0.37 | 6.8 | 0.02 | May 21, 2021 | Zope is an open-source web application server. In Zope versions prior to 4.6 and 5.2, users can access untrusted modules indirectly through Python modules that are available for direct use. By default, only users with the Manager role can add or edit Zope Page Templates through… | ||
| CVE-2024-47532 | Med | 0.35 | 6.5 | 0.01 | Sep 30, 2024 | RestrictedPython is a restricted execution environment for Python to run untrusted code. A user can gain access to protected (and potentially sensible) information indirectly via AttributeError.obj and the string module. The problem will be fixed in version 7.3. As a workaround,… | ||
| CVE-2021-32807 | Med | 0.22 | 4.4 | 0.02 | Jul 30, 2021 | The module `AccessControl` defines security policies for Python code used in restricted code within Zope applications. Restricted code is any code that resides in Zope's object database, such as the contents of `Script (Python)` objects. The policies defined in `AccessControl`… | ||
| CVE-2023-42458 | Low | 0.17 | 3.7 | 0.01 | Sep 21, 2023 | Zope is an open-source web application server. Prior to versions 4.8.10 and 5.8.5, there is a stored cross site scripting vulnerability for SVG images. Note that an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To… | ||
| CVE-2023-44389 | Low | 0.13 | 3.1 | 0.00 | Oct 4, 2023 | Zope is an open-source web application server. The title property, available on most Zope objects, can be used to store script code that is executed while viewing the affected object in the Zope Management Interface (ZMI). All versions of Zope 4 and Zope 5 are affected. Patches… |
- risk 0.57cvss —epss 0.00
Zope AccessControl provides a general security framework for use in Zope. In affected versions anonymous users can delete the user data maintained by an `AccessControl.userfolder.UserFolder` which may prevent any privileged access. This problem has been fixed in version 7.2.…
- risk 0.57cvss 9.8epss 0.01
SQLAlchemyDA is a generic database adapter for ZSQL methods. A vulnerability found in versions prior to 2.2 allows unauthenticated execution of arbitrary SQL statements on the database to which the SQLAlchemyDA instance is connected. All users are affected. The problem has been…
- risk 0.50cvss 8.8epss 0.02
Zope is an open-source web application server. This advisory extends the previous advisory at https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36 with additional cases of TAL expression traversal vulnerabilities. Most Python modules are not available…
- risk 0.49cvss 7.5epss 0.01
Foundation is a front-end framework. Versions 6.3.3 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, it is unknown if any fixes are available.
- risk 0.49cvss 7.6epss 0.01
An issue in Foundation.app Foundation platform 1.0 allows a remote attacker to obtain sensitive information via the Web3 authentication process of Foundation, the signed message lacks a nonce (random number)
- risk 0.48cvss 8.4epss 0.01
RestrictedPython is a tool that helps to define a subset of the Python language which allows users to provide a program input into a trusted environment. RestrictedPython does not check access to stack frames and their attributes. Stack frames are accessible within at least…
- risk 0.47cvss 8.3epss 0.01
RestrictedPython is a restricted execution environment for Python to run untrusted code. Python's "format" functionality allows someone controlling the format string to "read" all objects accessible through recursive attribute lookup and subscription from objects he can access.…
- risk 0.44cvss 7.9epss 0.00
RestrictedPython is a tool that helps to define a subset of the Python language which allows to provide a program input into a trusted environment. Via a type confusion bug in versions of the CPython interpreter starting in 3.11 and prior to 3.13.2 when using `try/except*`,…
- risk 0.42cvss 7.5epss 0.01
Products.CMFCore are the key framework services for the Zope Content Management Framework (CMF). The use of Python's marshal module to handle unchecked input in a public method on `PortalFolder` objects can lead to an unauthenticated denial of service and crash situation. The…
- risk 0.42cvss 7.5epss 0.02
Zope is an open-source web application server. Zope versions prior to versions 4.6.3 and 5.3 have a remote code execution security issue. In order to be affected, one must use Python 3 for one's Zope deployment, run Zope 4 below version 4.6.3 or Zope 5 below version 5.3, and…
- risk 0.37cvss 6.8epss 0.01
AccessControl provides a general security framework for use in Zope. Python's "format" functionality allows someone controlling the format string to "read" objects accessible (recursively) via attribute access and subscription from accessible objects. Those attribute accesses…
- risk 0.37cvss 6.8epss 0.02
Zope is an open-source web application server. In Zope versions prior to 4.6 and 5.2, users can access untrusted modules indirectly through Python modules that are available for direct use. By default, only users with the Manager role can add or edit Zope Page Templates through…
- risk 0.35cvss 6.5epss 0.01
RestrictedPython is a restricted execution environment for Python to run untrusted code. A user can gain access to protected (and potentially sensible) information indirectly via AttributeError.obj and the string module. The problem will be fixed in version 7.3. As a workaround,…
- risk 0.22cvss 4.4epss 0.02
The module `AccessControl` defines security policies for Python code used in restricted code within Zope applications. Restricted code is any code that resides in Zope's object database, such as the contents of `Script (Python)` objects. The policies defined in `AccessControl`…
- risk 0.17cvss 3.7epss 0.01
Zope is an open-source web application server. Prior to versions 4.8.10 and 5.8.5, there is a stored cross site scripting vulnerability for SVG images. Note that an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To…
- risk 0.13cvss 3.1epss 0.00
Zope is an open-source web application server. The title property, available on most Zope objects, can be used to store script code that is executed while viewing the affected object in the Zope Management Interface (ZMI). All versions of Zope 4 and Zope 5 are affected. Patches…