Multiple vulnerabilities in Zope



| Updated: 2025-06-17
Risk Medium
Patch available YES
Number of vulnerabilities 3
CVE-ID CVE-2001-1278
CVE-2000-1212
CVE-2000-1211
CWE-ID CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software
 Zope
Web applications / Other software

Vendor Zope

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Input validation error

EUVDB-ID: #VU111193

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2001-1278

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Zope before 2.2.4 allows partially trusted users to bypass security controls for certain methods by accessing the methods through the fmt attribute of dtml-var tags.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Zope: 2.2.0 - 2.2.4

CPE2.3 External links

https://www.linux-mandrake.com/en/security/2001/MDKSA-2001-080.php3
https://www.redhat.com/support/errata/RHSA-2001-115.html
https://www.securityfocus.com/bid/3425


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Input validation error

EUVDB-ID: #VU111199

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2000-1212

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to corrupt data.

Zope 2.2.0 through 2.2.4 does not properly protect a data updating method on Image and File objects, which allows attackers with DTML editing privileges to modify the raw data of these objects.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Zope: 2.2.0 - 2.2.4

CPE2.3 External links

https://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000365
https://frontal2.mandriva.com/security/advisories?name=MDKSA-2000:086
https://www.debian.org/security/2001/dsa-007
https://www.osvdb.org/6283
https://www.redhat.com/support/errata/RHSA-2000-135.html
https://www.zope.org/Products/Zope/Hotfix_2000-12-18/security_alert
https://exchange.xforce.ibmcloud.com/vulnerabilities/5778


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Input validation error

EUVDB-ID: #VU111200

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2000-1211

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Zope 2.2.0 through 2.2.4 does not properly perform security registration for legacy names of object constructors such as DTML method objects, which could allow attackers to perform unauthorized activities.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Zope: 2.2.0 - 2.2.4

CPE2.3 External links

https://www.iss.net/security_center/static/5824.php
https://www.linux-mandrake.com/en/security/2000/MDKSA-2000-083.php3
https://www.osvdb.org/6282
https://www.redhat.com/support/errata/RHSA-2000-125.html
https://www.zope.org/Products/Zope/Hotfix_2000-12-08/security_alert


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###