Input validation error in Zope - CVE-2000-0725
Published: September 10, 2008 / Updated: June 17, 2025
Vulnerability identifier: #VU111201
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2000-0725
CWE-ID: CWE-20
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Zope
Affected software:
Zope
Zope
Detailed vulnerability description
The vulnerability allows a local user to execute arbitrary code.
Zope before 2.2.1 does not properly restrict access to the getRoles method, which allows users who can edit DTML to add or modify roles by modifying the roles list that is included in a request.
How to mitigate CVE-2000-0725
Install update from vendor's website.
Sources
- http://archives.neohapsis.com/archives/bugtraq/2000-08/0198.html
- http://archives.neohapsis.com/archives/bugtraq/2000-08/0259.html
- http://www.debian.org/security/2000/20000821
- http://www.redhat.com/support/errata/RHSA-2000-052.html
- http://www.securityfocus.com/bid/1577
- http://www.zope.org/Products/Zope/Hotfix_08_09_2000/security_alert