Multiple vulnerabilities in Zope
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU111201
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2000-0725
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local user to execute arbitrary code.
Zope before 2.2.1 does not properly restrict access to the getRoles method, which allows users who can edit DTML to add or modify roles by modifying the roles list that is included in a request.
MitigationInstall update from vendor's website.
Vulnerable software versionsZope: 1.10.3 - 2.2 beta1
CPE2.3- cpe:2.3:a:zope:zope:1.10.3:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.2_beta1:*:*:*:*:*:*:*
https://archives.neohapsis.com/archives/bugtraq/2000-08/0198.html
https://archives.neohapsis.com/archives/bugtraq/2000-08/0259.html
https://www.debian.org/security/2000/20000821
https://www.redhat.com/support/errata/RHSA-2000-052.html
https://www.securityfocus.com/bid/1577
https://www.zope.org/Products/Zope/Hotfix_08_09_2000/security_alert
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU111202
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2000-0483
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The DocumentTemplate package in Zope 2.2 and earlier allows a remote attacker to modify DTMLDocuments or DTMLMethods without authorization.
MitigationInstall update from vendor's website.
Vulnerable software versionsZope: 1.10.3 - 2.1.7
CPE2.3- cpe:2.3:a:zope:zope:1.10.3:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.1.7:*:*:*:*:*:*:*
https:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00%3A38.zope.asc
https://archives.neohapsis.com/archives/bugtraq/2000-06/0144.html
https://archives.neohapsis.com/archives/bugtraq/2000-07/0412.html
https://www.redhat.com/support/errata/RHSA-2000-038.html
https://www.securityfocus.com/bid/1354
https://www.securityfocus.com/templates/archive.pike?list=1&msg=20000616103807.A3768@conectiva.com.br
https://www.zope.org/Products/Zope/Hotfix_06_16_2000/security_alert
https://exchange.xforce.ibmcloud.com/vulnerabilities/4716
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU111203
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2000-0062
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The DTML implementation in the Z Object Publishing Environment (Zope) allows remote attackers to conduct unauthorized activities.
MitigationInstall update from vendor's website.
Vulnerable software versionsZope: 1.10.3 - 2.1.1
CPE2.3 External linkshttps://www.securityfocus.com/bid/922
https://www.securityfocus.com/templates/archive.pike?list=1&msg=20000104222219.B41650@schvin.net
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
