CVE-2021-32674

Name of the Vulnerable Software and Affected Versions Zope versions prior to 5.2.1 and 4.6.1

Description Zope is an open-source web application server. The issue concerns TAL expression traversal vulnerabilities, where most Python modules are not available for use in TAL expressions added through the web, but some untrusted modules can be accessed indirectly. By default, only users with the Manager role can add or edit Zope Page Templates through the web. However, sites allowing untrusted users to add or edit these templates are at risk. The problem has been fixed in versions 5.2.1 and 4.6.1.

Recommendations For versions prior to 5.2.1, update to version 5.2.1 to resolve the issue. For versions prior to 4.6.1, update to version 4.6.1 to resolve the issue. As a temporary workaround, a site administrator can restrict adding or editing Zope Page Templates through the web using standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role, and adding or editing Zope Page Templates through the web should be restricted to trusted users only.