CVE-2024-47532

< 7.3

RestrictedPython is a restricted execution environment for Python to run untrusted code. A user can gain access to protected (and

6.5MEDIUM

CVE-2023-44389

>= 4.0 and < 4.8.11

Zope is an open-source web application server. The title property, available on most Zope objects, can be used to store script cod

3.1LOW

CVE-2023-42458

< 4.8.10

Zope is an open-source web application server. Prior to versions 4.8.10 and 5.8.5, there is a stored cross site scripting vulnerab

3.7LOW

CVE-2023-41050

< 4.8.9

AccessControl provides a general security framework for use in Zope. Python's "format" functionality allows someone controlling th

6.8MEDIUM

CVE-2023-41039

< 5.4

RestrictedPython is a restricted execution environment for Python to run untrusted code. Python's "format" functionality allows so

8.3HIGH

CVE-2023-37271

< 5.3

RestrictedPython is a tool that helps to define a subset of the Python language which allows users to provide a program input into

8.4HIGH

CVE-2023-36814

< 3.2

Products.CMFCore are the key framework services for the Zope Content Management Framework (CMF). The use of Python's marshal modul

7.5HIGH

CVE-2021-32811

>= 4.0 and < 4.6.3

Zope is an open-source web application server. Zope versions prior to versions 4.6.3 and 5.3 have a remote code execution security

7.5HIGH

CVE-2021-32807

>= 4.0 and < 4.3

The module AccessControl defines security policies for Python code used in restricted code within Zope applications. Restricted

4.4MEDIUM

CVE-2021-36089

>= 7.6.6 and <= 9.2.0

Grok 7.6.6 through 9.2.0 has a heap-based buffer overflow in grk::FileFormatDecompress::apply_palette_clr (called from grk::FileFo

7.8HIGH

CVE-2021-32674

< 4.6.1

Zope is an open-source web application server. This advisory extends the previous advisory at https://github.com/zopefoundation/Zo

8.8HIGH

CVE-2021-33507

< 2.5.1

Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthService before 2.6.2, as used in Plone through 5.2.4 and other produc

6.1MEDIUM

CVE-2021-32633

< 4.6

Zope is an open-source web application server. In Zope versions prior to 4.6 and 5.2, users can access untrusted modules indirectl

6.8MEDIUM

CVE-2021-21360

< 2.1.1

Products.GenericSetup is a mini-framework for expressing the configured state of a Zope Site as a set of filesystem artifacts. In

5.3MEDIUM

CVE-2021-21337

< 2.6.1

Products.PluggableAuthService is a pluggable Zope authentication and authorization framework. In Products.PluggableAuthService bef

5.7MEDIUM

CVE-2021-21336

< 2.6.0

Products.PluggableAuthService is a pluggable Zope authentication and authorization framework. In Products.PluggableAuthService bef

6.5MEDIUM

CVE-2011-4924

>= 2.8.0 and < 2.8.12

Cross-site scripting (XSS) vulnerability in Zope 2.8.x before 2.8.12, 2.9.x before 2.9.12, 2.10.x before 2.10.11, 2.11.x before 2.

6.1MEDIUM

CVE-2009-5145

all versions

Cross-site scripting (XSS) vulnerability in ZMI pages that use the manage_tabs_message in Zope 2.11.4, 2.11.2, 2.10.9, 2.10.7, 2.1

6.1MEDIUM

CVE-2012-6661

<= 2.13.18

Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, does not reseed the pseudo-random number generator (PRNG

CVE-2012-5507

all versions

AccessControl/AuthEncoding.py in Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers

CVE-2012-5489

<= 2.13.10

The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone befor

CVE-2012-5486

all versions

ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to injec

CVE-2011-3587

all versions

Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remo

CVE-2011-2528

all versions

Unspecified vulnerability in (1) Zope 2.12.x before 2.12.19 and 2.13.x before 2.13.8, as used in Plone 4.x and other products, and

CVE-2010-3495

<= 3.9.7

Race condition in ZEO/StorageServer.py in Zope Object Database (ZODB) before 3.10.0 allows remote attackers to cause a denial of s

CVE-2010-3198

all versions

ZServer in Zope 2.10.x before 2.10.12 and 2.11.x before 2.11.7 allows remote attackers to cause a denial of service (crash of work

CVE-2010-1104

all versions

Cross-site scripting (XSS) vulnerability in Zope 2.8.x before 2.8.12, 2.9.x before 2.9.12, 2.10.x before 2.10.11, 2.11.x before 2.

CVE-2009-2701

all versions

Unspecified vulnerability in the Zope Enterprise Objects (ZEO) storage-server functionality in Zope Object Database (ZODB) 3.8 bef

CVE-2009-0669

<= 3.8.1

Zope Object Database (ZODB) before 3.8.2, when certain Zope Enterprise Objects (ZEO) database sharing is enabled, allows remote at

CVE-2009-0668

<= 3.8.1

Unspecified vulnerability in Zope Object Database (ZODB) before 3.8.2, when certain Zope Enterprise Objects (ZEO) database sharing

CVE-2008-5102

<= 2.11.2

PythonScripts in Zope 2 2.11.2 and earlier, as used in Conga and other products, allows remote authenticated users to cause a deni

CVE-2007-0240

<= 2.10.2

Cross-site scripting (XSS) vulnerability in Zope 2.10.2 and earlier allows remote attackers to inject arbitrary web script or HTML

CVE-2006-4684

all versions

The docutils module in Zope (Zope2) 2.7.0 through 2.7.9 and 2.8.0 through 2.8.8 does not properly handle web pages with reStructur

CVE-2006-3458

all versions

Zope 2.7.0 to 2.7.8, 2.8.0 to 2.8.7, and 2.9.0 to 2.9.3 (Zope2) does not disable the "raw" command when providing untrusted users

CVE-2005-3323

>= 2.7.0 and < 2.7.8

docutils in Zope 2.6, 2.7 before 2.7.8, and 2.8 before 2.8.2 allows remote attackers to include arbitrary files via include direct

CVE-2002-0688

all versions

ZCatalog plug-in index support capability for Zope 2.4.0 through 2.5.1 allows anonymous users and untrusted code to bypass access

CVE-2002-0687

<= 2.5.1b1

The "through the web code" capability for Zope 2.0 through 2.5.1 b1 allows untrusted users to shut down the Zope server via certai

CVE-2002-0170

all versions

Zope 2.2.0 through 2.5.1 does not properly verify the access for objects with proxy roles, which could allow some users to access

CVE-2001-1278

all versions

Zope before 2.2.4 allows partially trusted users to bypass security controls for certain methods by accessing the methods through

CVE-2001-1227

all versions

Zope before 2.2.4 allows partially trusted users to bypass security controls for certain methods by accessing the methods through

CVE-2001-0569

<= 2.3.1_b1

Digital Creations Zope 2.3.1 b1 and earlier contains a problem in the method return values related to the classes (1) ObjectManage

CVE-2001-0568

<= 2.3.1_b1

Digital Creations Zope 2.3.1 b1 and earlier allows a local attacker (Zope user) with through-the-web scripting capabilities to alt

CVE-2001-0567

all versions

Digital Creations Zope 2.3.2 and earlier allows a local attacker to gain additional privileges via the changing of ZClass permissi

CVE-2001-0128

<= 2.2.4

Zope before 2.2.4 does not properly compute local roles, which could allow users to bypass specified access restrictions and gain

CVE-2000-1212

all versions

Zope 2.2.0 through 2.2.4 does not properly protect a data updating method on Image and File objects, which allows attackers with D

CVE-2000-1211

all versions

Zope 2.2.0 through 2.2.4 does not properly perform security registration for legacy names of object constructors such as DTML meth

CVE-2000-0725

all versions

Zope before 2.2.1 does not properly restrict access to the getRoles method, which allows users who can edit DTML to add or modify

CVE-2000-0483

all versions

The DocumentTemplate package in Zope 2.2 and earlier allows a remote attacker to modify DTMLDocuments or DTMLMethods without autho

CVE-2000-0062

all versions

The DTML implementation in the Z Object Publishing Environment (Zope) allows remote attackers to conduct unauthorized activities.