Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `manage_tabs_message` in ZMI pages. An attacker can manipulate web content or hijack user sessions. How to fix Cross-site Scripting (XSS)? Upgrade `Zope2` to version 2.12.5 or higher.	[,2.12.5)
M Privilege Escalation `zope2` is a Zope2 application server / web framework The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.	[,2.12.21)[2.13,2.13.11)
M Timing Attack `zope2` is a Zope2 application server / web framework AccessControl/AuthEncoding.py in Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain passwords via vectors involving timing discrepancies in password validation.	[,2.13.19)
M Insecure Randomness `zope2` is a Zope2 application server / web framework Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, does not reseed the pseudo-random number generator (PRNG), which makes it easier for remote attackers to guess the value via unspecified vectors. NOTE: this issue was SPLIT from CVE-2012-5508 due to different vulnerability types (ADT2).	[,2.13.19)

Go back to all versions of this package