Multiple vulnerabilities in Zope
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU111192
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2002-0170
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Zope 2.2.0 through 2.5.1 does not properly verify the access for objects with proxy roles, which could allow some users to access documents in violation of the intended configuration.
MitigationInstall update from vendor's website.
Vulnerable software versionsZope: 2.2.0 - 2.5.1b1
CPE2.3- cpe:2.3:a:zope:zope:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.3.3:*:*:*:*:*:*:*
https://marc.info/?l=bugtraq&m=101503023511996&w=2
https://www.iss.net/security_center/static/8334.php
https://www.osvdb.org/5350
https://www.redhat.com/support/errata/RHSA-2002-060.html
https://www.securityfocus.com/bid/4229
https://www.zope.org/Products/Zope/hotfixes/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU111194
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2001-1227
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Zope before 2.2.4 allows partially trusted users to bypass security controls for certain methods by accessing the methods through the fmt attribute of dtml-var tags.
MitigationInstall update from vendor's website.
Vulnerable software versionsZope: 2.2.0 - 2.2.5
CPE2.3- cpe:2.3:a:zope:zope:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.2.5:*:*:*:*:*:*:*
https://www.linux-mandrake.com/en/security/2001/MDKSA-2001-080.php3
https://www.redhat.com/support/errata/RHSA-2001-072.html
https://www.redhat.com/support/errata/RHSA-2001-115.html
https://www.securityfocus.com/bid/3425
https://exchange.xforce.ibmcloud.com/vulnerabilities/7271
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
