CVE-2023-44389

Name of the Vulnerable Software and Affected Versions Zope versions prior to 4.8.11 Zope versions prior to 5.8.6

Description Zope is an open-source web application server. The title property, available on most Zope objects, can be used to store script code that is executed while viewing the affected object in the Zope Management Interface (ZMI). This occurs because the title property is displayed unquoted in the breadcrumbs element.

Recommendations For versions prior to 4.8.11, update to version 4.8.11 to resolve the issue. For versions prior to 5.8.6, update to version 5.8.6 to resolve the issue. As a temporary workaround, ensure that only Manager users can edit and view Zope objects in the Zope Management Interface, which is the default configuration.