Dataflake

**Name of the Vulnerable Software and Affected Versions** Zope versions prior to 4.8.11 Zope versions prior to 5.8.6 **Description** Zope is an open-source web application server. The `title` property, available on most Zope objects, can be used to store script code that is executed while viewing the affected object in the Zope Management Interface (ZMI). This occurs because the `title` property is displayed unquoted in the breadcrumbs element. **Recommendations** For versions prior to 4.8.11, update to version 4.8.11 to resolve the issue. For versions prior to 5.8.6, update to version 5.8.6 to resolve the issue. As a temporary workaround, ensure that only Manager users can edit and view Zope objects in the Zope Management Interface, which is the default configuration.

**Name of the Vulnerable Software and Affected Versions** AccessControl versions prior to 4.4 AccessControl versions prior to 5.8 AccessControl versions prior to 6.2 **Description** The issue arises from Python's "format" functionality, which allows someone controlling the format string to access objects via attribute access and subscription. This can lead to critical information disclosure because the attribute accesses and subscriptions use Python's full-blown `getattr` and `getitem`, rather than the policy-restricted `AccessControl` variants ` getattr ` and ` getitem `. `AccessControl` provides a safe variant for `str.format` and denies access to `string.Formatter`, but `str.format map` remains unsafe. Users who allow untrusted users to create and execute `AccessControl` controlled Python code are affected. **Recommendations** For versions prior to 4.4, upgrade to version 4.4 or later. For versions prior to 5.8, upgrade to version 5.8 or later. For versions prior to 6.2, upgrade to version 6.2 or later. As a temporary workaround, consider restricting access to `str.format map` until a patch is available.

**Name of the Vulnerable Software and Affected Versions** AccessControl versions 4.0 through 4.2 AccessControl versions 5.0 through 5.1 Zope versions prior to 4.6.3 Zope versions prior to 5.3 **Description** The module `AccessControl` defines security policies for Python code used in restricted code within Zope applications. The policies defined in `AccessControl` severely restrict access to Python modules and only exempt a few that are deemed safe, such as Python's `string` module. However, full access to the `string` module also allows access to the class `Formatter`, which can be overridden and extended within `Script (Python)` in a way that provides access to other unsafe Python libraries. Those unsafe Python libraries can be used for remote code execution. By default, you need to have the admin-level Zope "Manager" role to add or edit `Script (Python)` objects through the web. Only sites that allow untrusted users to add/edit these scripts through the web are at risk. **Recommendations** For AccessControl versions 4.0 through 4.2, update to version 4.3 or later. For AccessControl versions 5.0 through 5.1, update to version 5.2 or later. For Zope versions prior to 4.6.3, update to version 4.6.3 or later. For Zope versions prior to 5.3, update to version 5.3 or later. As a temporary workaround, restrict adding/editing `Script (Python)` objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing these scripts through the web should be restricted to trusted users only.

**Name of the Vulnerable Software and Affected Versions** Zope versions prior to 4.6.3 and 5.3 **Description** Zope is an open-source web application server with a remote code execution security issue. The issue affects Zope deployments using Python 3, running Zope 4 below version 4.6.3 or Zope 5 below version 5.3, and having the optional `Products.PythonScripts` add-on package installed. By default, only users with the admin-level Zope "Manager" role can add or edit Script (Python) objects through the web. Sites that allow untrusted users to add or edit these scripts through the web are at risk. **Recommendations** For Zope versions prior to 4.6.3 and 5.3, restrict adding or editing Script (Python) objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role, and adding or editing these scripts through the web should be restricted to trusted users only. This is the default configuration in Zope.

**Name of the Vulnerable Software and Affected Versions** Zope versions prior to 5.2 and 4.6 Zope versions prior to 5.21 and 4.6.1 **Description** Zope is an open-source web application server. In Zope, users can access untrusted modules indirectly through Python modules that are available for direct use. By default, only users with the Manager role can add or edit Zope Page Templates through the web, but sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk from this issue. The problem has been fixed in Zope 5.2 and 4.6. **Recommendations** For Zope versions prior to 5.2 and 4.6, update to Zope 5.2 or 4.6 to resolve the issue. For Zope versions prior to 5.21 and 4.6.1, update to Zope 5.21 or 4.6.1 to resolve the issue. As a temporary workaround, a site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only.

**Name of the Vulnerable Software and Affected Versions** Zope versions prior to 5.2.1 and 4.6.1 **Description** Zope is an open-source web application server. The issue concerns TAL expression traversal vulnerabilities, where most Python modules are not available for use in TAL expressions added through the web, but some untrusted modules can be accessed indirectly. By default, only users with the Manager role can add or edit Zope Page Templates through the web. However, sites allowing untrusted users to add or edit these templates are at risk. The problem has been fixed in versions 5.2.1 and 4.6.1. **Recommendations** For versions prior to 5.2.1, update to version 5.2.1 to resolve the issue. For versions prior to 4.6.1, update to version 4.6.1 to resolve the issue. As a temporary workaround, a site administrator can restrict adding or editing Zope Page Templates through the web using standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role, and adding or editing Zope Page Templates through the web should be restricted to trusted users only.

**Name of the Vulnerable Software and Affected Versions** Products.GenericSetup versions prior to 2.1.1 **Description** The issue is an information disclosure vulnerability where anonymous visitors may view log and snapshot files generated by the Generic Setup Tool. This problem has been fixed in version 2.1.1. **Recommendations** For versions prior to 2.1.1, change the buildout version pin to 2.1.1 and re-run the buildout, or if you used pip, simply do pip install "Products.GenericSetup>=2.1.1". As a temporary workaround, visit the ZMI Security tab at portal setup/manage access and click on the link Access contents information. On the next page, uncheck the box Also use roles acquired from folders containing this objects at the bottom and check the boxes for Manager and Owner. Then click on Save Changes. Return to the ZMI Security tab at portal setup/manage access and scroll down to the link View. Click on View, uncheck the box Also use roles acquired from folders containing this objects at the bottom and check the boxes for Manager and Owner. Then click on Save Changes.

**Name of the Vulnerable Software and Affected Versions** Products.PluggableAuthService versions prior to 2.6.0 **Description** The issue is an information disclosure vulnerability where everyone can list the names of roles defined in the ZODB Role Manager plugin if the site uses this plugin. The problem has been fixed in version 2.6.0. **Recommendations** For versions prior to 2.6.0, change the buildout version pin to 2.6.0 and re-run the buildout, or if you used pip simply do `pip install "Products.PluggableAuthService>=2.6.0"`.