SB2016101858 - Multiple vulnerabilities in Zope
Published: October 18, 2016 Updated: June 17, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2002-0170)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Zope 2.2.0 through 2.5.1 does not properly verify the access for objects with proxy roles, which could allow some users to access documents in violation of the intended configuration.
2) Input validation error (CVE-ID: CVE-2001-1227)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Zope before 2.2.4 allows partially trusted users to bypass security controls for certain methods by accessing the methods through the fmt attribute of dtml-var tags.
Remediation
Install update from vendor's website.
References
- http://marc.info/?l=bugtraq&m=101503023511996&w=2
- http://www.iss.net/security_center/static/8334.php
- http://www.osvdb.org/5350
- http://www.redhat.com/support/errata/RHSA-2002-060.html
- http://www.securityfocus.com/bid/4229
- http://www.zope.org/Products/Zope/hotfixes/
- http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-080.php3
- http://www.redhat.com/support/errata/RHSA-2001-072.html
- http://www.redhat.com/support/errata/RHSA-2001-115.html
- http://www.securityfocus.com/bid/3425
- https://exchange.xforce.ibmcloud.com/vulnerabilities/7271