CVE-2021-32811

Name of the Vulnerable Software and Affected Versions Zope versions prior to 4.6.3 and 5.3

Description Zope is an open-source web application server with a remote code execution security issue. The issue affects Zope deployments using Python 3, running Zope 4 below version 4.6.3 or Zope 5 below version 5.3, and having the optional Products.PythonScripts add-on package installed. By default, only users with the admin-level Zope "Manager" role can add or edit Script (Python) objects through the web. Sites that allow untrusted users to add or edit these scripts through the web are at risk.

Recommendations For Zope versions prior to 4.6.3 and 5.3, restrict adding or editing Script (Python) objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role, and adding or editing these scripts through the web should be restricted to trusted users only. This is the default configuration in Zope.