zope2 2.13.19 vulnerabilities

Known vulnerabilities in the zope2 package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
H HTTP Header Injection `zope2` is a Zope2 application server / web framework Affected versions of this package are vulnerable to HTTP header Injection attacks due to incorrectly escaping of Carriage Return and Line Feed (CR/LF) characters in HTTP requests.	[2.13,2.13.25)
M Cross-site Scripting (XSS) `zope2` is a Zope2 application server / web framework Multiple cross-site scripting (XSS) vulnerabilities in (1) spamProtect.py, (2) pts.py, and (3) request.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.	[2.12,2.12.28)[2.13,2.13.21)
M Open Redirect `zope2` is a Zope2 application server / web framework Multiple open redirect vulnerabilities in (1) marmoset_patch.py, (2) publish.py, and (3) principiaredirect.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.	[2.13,2.13.21)
M Information Exposure `zope2` is a Zope2 application server / web framework The object manager implementation (objectmanager.py) in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly restrict access to internal methods, which allows remote attackers to obtain sensitive information via a crafted request.	[2.13,2.13.21)
L Denial of Service (DoS) `zope2` is a Zope2 application server / web framework (1) cb_decode.py and (2) linkintegrity.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote authenticated users to cause a denial of service (resource consumption) via a large zip archive, which is expanded (decompressed).	[2.13,2.13.21)
M Arbitrary Code Execution `zope2` is a Zope2 application server / web framework python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.	[2.13,2.13.20)
M Information Exposure `zope2` is a Zope2 application server / web framework ftp.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read hidden folder contents via unspecified vectors.	[2.12,2.12.27)[2.13,2.13.20)
M Cross-site Scripting (XSS) `zope2` is a Zope2 application server / web framework Cross-site Scripting (XSS) vulnerability in widget_traversal.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.	[2.12,2.12.27)[2.13,2.13.20)

Vulnerability

Vulnerable Version

HTTP Header Injection

zope2 is a Zope2 application server / web framework Affected versions of this package are vulnerable to HTTP header Injection attacks due to incorrectly escaping of Carriage Return and Line Feed (CR/LF) characters in HTTP requests.

[2.13,2.13.25)

Cross-site Scripting (XSS)

zope2 is a Zope2 application server / web framework Multiple cross-site scripting (XSS) vulnerabilities in (1) spamProtect.py, (2) pts.py, and (3) request.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

[2.12,2.12.28)[2.13,2.13.21)

Open Redirect

zope2 is a Zope2 application server / web framework Multiple open redirect vulnerabilities in (1) marmoset_patch.py, (2) publish.py, and (3) principiaredirect.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

[2.13,2.13.21)

Information Exposure

zope2 is a Zope2 application server / web framework The object manager implementation (objectmanager.py) in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly restrict access to internal methods, which allows remote attackers to obtain sensitive information via a crafted request.

[2.13,2.13.21)

Denial of Service (DoS)

zope2 is a Zope2 application server / web framework (1) cb_decode.py and (2) linkintegrity.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote authenticated users to cause a denial of service (resource consumption) via a large zip archive, which is expanded (decompressed).

[2.13,2.13.21)

Arbitrary Code Execution

zope2 is a Zope2 application server / web framework python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

[2.13,2.13.20)

Information Exposure

zope2 is a Zope2 application server / web framework ftp.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read hidden folder contents via unspecified vectors.

[2.12,2.12.27)[2.13,2.13.20)

Cross-site Scripting (XSS)

zope2 is a Zope2 application server / web framework Cross-site Scripting (XSS) vulnerability in widget_traversal.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

[2.12,2.12.27)[2.13,2.13.20)

zope2@2.13.19 vulnerabilities

Zope application server / web framework

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?