zope2 2.12.21 vulnerabilities

Known vulnerabilities in the zope2 package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) `zope2` is a Zope2 application server / web framework Multiple cross-site scripting (XSS) vulnerabilities in (1) spamProtect.py, (2) pts.py, and (3) request.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.	[2.12,2.12.28)[2.13,2.13.21)
M HTTP Header Injection `zope2` is a Zope2 application server / web framework `ZPublisher.HTTPRequest._scrubHeader` in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.	[2.12,2.13.19)
M Cross-site Scripting (XSS) `zope2` is a Zope2 application server / web framework Cross-site Scripting (XSS) vulnerability in python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to "{u,}translate."	[2.12,2.12.27)
M Arbitrary Code Execution `zope2` is a Zope2 application server / web framework python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to "go_back."	[2.12.0a2,2.12.26]
M Information Exposure `zope2` is a Zope2 application server / web framework ftp.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read hidden folder contents via unspecified vectors.	[2.12,2.12.27)[2.13,2.13.20)
M Cross-site Scripting (XSS) `zope2` is a Zope2 application server / web framework Cross-site Scripting (XSS) vulnerability in widget_traversal.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.	[2.12,2.12.27)[2.13,2.13.20)
M Denial of Service (DoS) `zope2` is a Zope2 application server / web framework python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to cause a denial of service (infinite loop) via an RSS feed request for a folder the user does not have permission to access.	[2.12,2.12.27)
M Timing Attack `zope2` is a Zope2 application server / web framework AccessControl/AuthEncoding.py in Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain passwords via vectors involving timing discrepancies in password validation.	[,2.13.19)
M Insecure Randomness `zope2` is a Zope2 application server / web framework Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, does not reseed the pseudo-random number generator (PRNG), which makes it easier for remote attackers to guess the value via unspecified vectors. NOTE: this issue was SPLIT from CVE-2012-5508 due to different vulnerability types (ADT2).	[,2.13.19)

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)

zope2 is a Zope2 application server / web framework Multiple cross-site scripting (XSS) vulnerabilities in (1) spamProtect.py, (2) pts.py, and (3) request.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

[2.12,2.12.28)[2.13,2.13.21)

HTTP Header Injection

zope2 is a Zope2 application server / web framework ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

[2.12,2.13.19)

Cross-site Scripting (XSS)

zope2 is a Zope2 application server / web framework Cross-site Scripting (XSS) vulnerability in python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to "{u,}translate."

[2.12,2.12.27)

Arbitrary Code Execution

zope2 is a Zope2 application server / web framework python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to "go_back."

[2.12.0a2,2.12.26]

Information Exposure

zope2 is a Zope2 application server / web framework ftp.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read hidden folder contents via unspecified vectors.

[2.12,2.12.27)[2.13,2.13.20)

Cross-site Scripting (XSS)

zope2 is a Zope2 application server / web framework Cross-site Scripting (XSS) vulnerability in widget_traversal.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

[2.12,2.12.27)[2.13,2.13.20)

Denial of Service (DoS)

zope2 is a Zope2 application server / web framework python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to cause a denial of service (infinite loop) via an RSS feed request for a folder the user does not have permission to access.

[2.12,2.12.27)

Timing Attack

zope2 is a Zope2 application server / web framework AccessControl/AuthEncoding.py in Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain passwords via vectors involving timing discrepancies in password validation.

[,2.13.19)

Insecure Randomness

zope2 is a Zope2 application server / web framework Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, does not reseed the pseudo-random number generator (PRNG), which makes it easier for remote attackers to guess the value via unspecified vectors. NOTE: this issue was SPLIT from CVE-2012-5508 due to different vulnerability types (ADT2).

[,2.13.19)

zope2@2.12.21 vulnerabilities

Zope application server / web framework

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?