zope2@2.12.26 vulnerabilities

Zope application server / web framework

  • latest version

    4.0

  • latest non vulnerable version

  • first published

    15 years ago

  • latest version published

    5 years ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the zope2 package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Cross-site Scripting (XSS)

    zope2 is a Zope2 application server / web framework Multiple cross-site scripting (XSS) vulnerabilities in (1) spamProtect.py, (2) pts.py, and (3) request.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

    [2.12,2.12.28)[2.13,2.13.21)
    • M
    HTTP Header Injection

    zope2 is a Zope2 application server / web framework ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

    [2.12,2.13.19)
    • M
    Cross-site Scripting (XSS)

    zope2 is a Zope2 application server / web framework Cross-site Scripting (XSS) vulnerability in python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to "{u,}translate."

    [2.12,2.12.27)
    • M
    Arbitrary Code Execution

    zope2 is a Zope2 application server / web framework python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to "go_back."

    [2.12.0a2,2.12.26]
    • M
    Information Exposure

    zope2 is a Zope2 application server / web framework ftp.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read hidden folder contents via unspecified vectors.

    [2.12,2.12.27)[2.13,2.13.20)
    • M
    Cross-site Scripting (XSS)

    zope2 is a Zope2 application server / web framework Cross-site Scripting (XSS) vulnerability in widget_traversal.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

    [2.12,2.12.27)[2.13,2.13.20)
    • M
    Denial of Service (DoS)

    zope2 is a Zope2 application server / web framework python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to cause a denial of service (infinite loop) via an RSS feed request for a folder the user does not have permission to access.

    [2.12,2.12.27)
    • M
    Timing Attack

    zope2 is a Zope2 application server / web framework AccessControl/AuthEncoding.py in Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain passwords via vectors involving timing discrepancies in password validation.

    [,2.13.19)
    • M
    Insecure Randomness

    zope2 is a Zope2 application server / web framework Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, does not reseed the pseudo-random number generator (PRNG), which makes it easier for remote attackers to guess the value via unspecified vectors. NOTE: this issue was SPLIT from CVE-2012-5508 due to different vulnerability types (ADT2).

    [,2.13.19)