| OSVDB ID | Disclosure Date | Title |
|---|
|
10322
Description:
Unknown / Incomplete
|
2004-01-08
|
Zope DTMLMethods Proxy Rights Traversal
|
|
1514
Description:
(Description Provided by CVE) : Zope before 2.2.1 does not properly restrict access to the getRoles method, which allows users who can edit DTML to add or modify roles by modifying the roles list that is included in a request.
|
2000-08-16
|
Zope getRoles Method Arbitrary Role Modification
|
|
6283
Description:
Zope contains a flaw that may allow a malicious user to bypass data protection. The issue is triggered due to insecure data updating methods on Image and File objects. It is possible that the flaw may allow a malicious user with DTML editing privileges to modify the raw data of these objects, resulting in a loss of integrity.
|
2000-12-12
|
Zope Image and File Update Data Protection Bypass
|
|
3449
Description:
Unknown / Incomplete
|
2004-01-08
|
Zope Iterations Object Access Check Bypass
|
|
67293
Description:
(Description Provided by CVE) : The authenticate function in LDAPUserFolder/LDAPUserFolder.py in zope-ldapuserfolder 2.9-1 does not verify the password for the emergency account, which allows remote attackers to gain privileges.
|
2010-08-20
|
Zope LDAPUserFolder Product Products/LDAPUserFolder/LDAPUserFolder.py authenticate() Function Authentication Bypass
|
|
6282
Description:
Zope contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when use of Legacy object names ( e.g. DTML Methods )occurs. This flaw may lead to a loss of Confidentiality and/or Integrity.
|
2000-12-08
|
Zope Legacy Name Authorization Bypass
|
|
6284
Description:
Zope contains a flaw that may allow a malicious user to gain access to unauthorized privileges. In some situations the computation was not climbing the correct hierarchy of folders, granting local roles inappropriately. Exploitation of this issue could grant a local user with privileges in one folder the same privileges specified in another folder. This flaw may lead to a loss of confidentiality and integrity.
|
2000-12-15
|
Zope Local Role Computation Error Privilege Escalation
|
|
58285
Description:
Unknown / Incomplete
|
2002-09-26
|
Zope Malformed XML RPC Request Path Disclosure
|
|
10315
Description:
Unknown / Incomplete
|
2004-01-08
|
Zope Multiple Bound Variable Arbitrary Object Access
|
|
10314
Description:
Unknown / Incomplete
|
2004-01-08
|
Zope Multiple built-in Unspecified Security Check Bypass
|
|
10312
Description:
Unknown / Incomplete
|
2004-01-08
|
Zope Multiple Instance Methods get Request Object Access Restriction Bypass
|
|
56827
Description:
(Description Provided by CVE) : Unspecified vulnerability in Zope Object Database (ZODB) before 3.8.2, when certain Zope Enterprise Objects (ZEO) database sharing is enabled, allows remote attackers to execute arbitrary Python code via vectors involving the ZEO network protocol.
|
2009-08-06
|
Zope Object Database (ZODB) ZEO Storage Server Unspecified Arbitrary Python Code Execution
|
|
56826
Description:
(Description Provided by CVE) : Zope Object Database (ZODB) before 3.8.2, when certain Zope Enterprise Objects (ZEO) database sharing is enabled, allows remote attackers to bypass authentication via vectors involving the ZEO network protocol.
|
2009-08-06
|
Zope Object Database (ZODB) ZEO Storage Server Unspecified Authentication Bypass
|
|
68608
Description:
Zope Object Database contains a race condition in the 'ZEO/StorageServer.py' script that may allow a remote denial of service. The issue is triggered when a remote attacker establishes and then immediately closes a TCP connection, and will result in loss of availability for the program.
|
2010-10-08
|
Zope Object Database (ZODB) ZEO/StorageServer.py Multiple Client Connection Remote DoS
|
|
57760
Description:
(Description Provided by CVE) : Unspecified vulnerability in the Zope Enterprise Objects (ZEO) storage-server functionality in Zope Object Database (ZODB) 3.8 before 3.8.3 and 3.9.x before 3.9.0c2, when certain ZEO database sharing and blob support are enabled, allows remote authenticated users to read or delete arbitrary files via unknown vectors.
|
2009-09-01
|
Zope Object Database (ZODB) Zope Enterprise Objects (ZEO) Server Arbitrary File Manipulation
|
|
73252
Description:
Unknown / Incomplete
|
2011-05-29
|
Zope PluggableAuthService (PAS) ZODBUserManager.py updateUser() Method User Login Name Change Duplication
|
|
10324
Description:
Unknown / Incomplete
|
2004-01-08
|
Zope PropertyManager Multiple Types Arbitrary List Modification
|
|
5350
Description:
Zope contains a flaw that may allow a malicious user to gain access to files outside the configured security context. The issue is due to Zope failing to honour the security context of the creator of a proxy role when determining access to an object via that role. This flaw may lead to a loss of confidentiality.
|
2002-03-01
|
Zope Proxy Role Privilege Escalation
|
|
10313
Description:
Unknown / Incomplete
|
2004-01-08
|
Zope Python Script import as Feature Seceurity Check Bypass
|
|
10318
Description:
Unknown / Incomplete
|
2004-01-08
|
Zope PythonScript Class Arbitrary Variable Access
|
|
76105
Description:
(Description Provided by CVE) : Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary commands via vectors related to the p_ class in OFS/misc_.py and the use of Python modules.
|
2011-09-29
|
Zope Request Parsing Unspecified Remote Command Execution
|
|
10317
Description:
Unknown / Incomplete
|
2004-01-08
|
Zope RESPONSE.write() Function Unicode Character DoS
|
|
61655
Description:
(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in Zope 2.8.x before 2.8.12, 2.9.x before 2.9.12, 2.10.x before 2.10.11, 2.11.x before 2.11.6, and 2.12.x before 2.12.3 allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages.
|
2010-01-12
|
Zope standard_error_message Template XSS
|
|
5166
Description:
Zope contains a flaw that may allow a remote denial of service. The issue can be triggered on systems where users can write "Through The Web Code", and will result in loss of availability for the service.
|
2004-04-08
|
Zope Through The Web Code Header Injection DoS
|
|
10316
Description:
Unknown / Incomplete
|
2004-01-08
|
Zope Unpacking Function Arbitrary Object Access
|
|
73726
Description:
(Description Provided by CVE) : Unspecified vulnerability in (1) Zope 2.12.x before 2.12.19 and 2.13.x before 2.13.8, as used in Plone 4.x and other products, and (2) PloneHotfix20110720 for Plone 3.x allows attackers to gain privileges via unspecified vectors, related to a "highly serious vulnerability." NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-0720.
|
2011-06-28
|
Zope Unspecified Access Restriction Bypass
|
|
34366
Description:
(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in Zope 2.10.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in a HTTP GET request.
|
2007-03-20
|
Zope Unspecified HTTP GET Request CSRF
|
|
76645
Description:
Unknown / Incomplete
|
2011-10-24
|
Zope Unspecified Remote Issue
|
|
19951
Description:
(Description Provided by CVE) : docutils in Zope 2.6, 2.7 before 2.7.8, and 2.8 before 2.8.2 allows remote attackers to include arbitrary files via include directives in RestructuredText functionality.
|
2005-10-09
|
Zope Unspecified RestructuredText Functionality Disclosure
|
|
10319
Description:
Unknown / Incomplete
|
2004-01-08
|
Zope XML-RPC Instance Marshalling Protected Value Disclosure
|
