Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
8.8
CVSSv3

CVE-2021-32633

Published: 21/05/2021 Updated: 06/04/2022
CVSS v2 Base Score: 6.5 | Impact Score: 6.4 | Exploitability Score: 8
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
VMScore: 578
Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P

Vulnerability Summary

Zope is an open-source web application server. In Zope versions before 4.6 and 5.2, users can access untrusted modules indirectly through Python modules that are available for direct use. By default, only users with the Manager role can add or edit Zope Page Templates through the web, but sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk from this vulnerability. The problem has been fixed in Zope 5.2 and 4.6. As a workaround, a site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

plone plone

zope zope

Mailing Lists

Full Disclosure: Plone security hotfix 20210518
A Plone security hotfix was released on Tuesday, May 18 2021 For details, see ploneorg/security/hotfix/20210518 Most CVE numbers are not yet issued I will request them from Mitre shortly The patch addresses several security issues: - Reflected XSS in various spots Reported by Calum Hutton - XSS vulnerability in CMFDiffTool R ...
Full Disclosure: Re: Plone security hotfix 20210518
CVE numbers inline below Thanks On 21/05/2021 16:07, Maurits van Rees wrote: CVE-2021-33509 CVE-2021-33512 CVE-2021-33507 CVE-2021-33513 CVE-2021-33508 issued, but I forgot that the original reporter already reserved CVE-2021-3313 which is public now with his report My bad CVE-2021-33510 CVE-2021-33511 -- Maurits van Re ...

References

CWE-22https://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36http://www.openwall.com/lists/oss-security/2021/05/21/1http://www.openwall.com/lists/oss-security/2021/05/22/1https://cyllective.com/blog/post/plone-authenticated-rce-cve-2021-32633/https://nvd.nist.govhttp://seclists.org/oss-sec/2021/q2/158
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
firewallCVE-2024-35649stored XSSCVE-2022-28654CVE-2020-35153CVE-2024-27348CVE-2022-28652local usersCVE-2017-3506
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook