Vulnerabilities > Zope > Zope

DATE CVE VULNERABILITY TITLE RISK
2014-09-30 CVE-2012-5507 Race Condition vulnerability in multiple products
AccessControl/AuthEncoding.py in Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain passwords via vectors involving timing discrepancies in password validation.
network
zope plone CWE-362
4.3
2014-09-30 CVE-2012-5489 Permissions, Privileges, and Access Controls vulnerability in multiple products
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.
network
low complexity
plone zope CWE-264
6.5
2011-10-10 CVE-2011-3587 Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary commands via vectors related to the p_ class in OFS/misc_.py and the use of Python modules.
network
plone zope
critical
9.3
2011-07-19 CVE-2011-2528 Remote Security vulnerability in Zope
Unspecified vulnerability in (1) Zope 2.12.x before 2.12.19 and 2.13.x before 2.13.8, as used in Plone 4.x and other products, and (2) PloneHotfix20110720 for Plone 3.x allows attackers to gain privileges via unspecified vectors, related to a "highly serious vulnerability." NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-0720.
network
low complexity
plone zope
7.5
2010-09-08 CVE-2010-3198 Denial Of Service vulnerability in Zope
ZServer in Zope 2.10.x before 2.10.12 and 2.11.x before 2.11.7 allows remote attackers to cause a denial of service (crash of worker threads) via vectors that trigger uncaught exceptions.
network
zope
4.3
2010-03-25 CVE-2010-1104 Cross-Site Scripting vulnerability in Zope
Cross-site scripting (XSS) vulnerability in Zope 2.8.x before 2.8.12, 2.9.x before 2.9.12, 2.10.x before 2.10.11, 2.11.x before 2.11.6, and 2.12.x before 2.12.3 allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages.
network
zope CWE-79
4.3
2008-11-17 CVE-2008-5102 Resource Management Errors vulnerability in Zope
PythonScripts in Zope 2 2.11.2 and earlier, as used in Conga and other products, allows remote authenticated users to cause a denial of service (resource consumption or application halt) via certain (1) raise or (2) import statements.
network
low complexity
zope CWE-399
4.0
2007-03-22 CVE-2007-0240 HTML Injection vulnerability in Zope HTTP Get Request
Cross-site scripting (XSS) vulnerability in Zope 2.10.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in a HTTP GET request.
network
zope
4.3
2006-09-19 CVE-2006-4684 Information Disclosure vulnerability in Zope CSV_Table
The docutils module in Zope (Zope2) 2.7.0 through 2.7.9 and 2.8.0 through 2.8.8 does not properly handle web pages with reStructuredText (reST) markup, which allows remote attackers to read arbitrary files via a csv_table directive, a different vulnerability than CVE-2006-3458.
network
low complexity
zope
5.0
2006-07-07 CVE-2006-3458 Information Disclosure vulnerability in Zope Docutils
Zope 2.7.0 to 2.7.8, 2.8.0 to 2.8.7, and 2.9.0 to 2.9.3 (Zope2) does not disable the "raw" command when providing untrusted users with restructured text (reStructuredText) functionality from docutils, which allows local users to read arbitrary files.
local
low complexity
zope
2.1