Name of the Vulnerable Software and Affected Versions: AccessControl versions 4.0 through 4.2 AccessControl versions 5.0 through 5.1

Description: The issue concerns the AccessControl module in Zope applications, which defines security policies for Python code. It allows restricted access to Python modules but exempts certain modules deemed safe, such as the string module. However, the string module's Formatter class can be overridden, providing access to other unsafe Python libraries that can be used for remote code execution. This issue affects sites that allow untrusted users to add or edit Script (Python) objects through the web, which is an unusual configuration.

Recommendations: For AccessControl versions 4.0 through 4.2, update to version 4.3. For AccessControl versions 5.0 through 5.1, update to version 5.2. As a temporary workaround, restrict adding/editing Script (Python) objects through the web to trusted users only, using the standard Zope user/role permission mechanisms, and do not assign the Zope Manager role to untrusted users.