Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
578
VMScore

CVE-2021-32633

Published: 21/05/2021 Updated: 06/04/2022
CVSS v2 Base Score: 6.5 | Impact Score: 6.4 | Exploitability Score: 8
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
VMScore: 578
Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P
Subscribe to Plone

Vulnerability Summary

Zope is an open-source web application server. In Zope versions before 4.6 and 5.2, users can access untrusted modules indirectly through Python modules that are available for direct use. By default, only users with the Manager role can add or edit Zope Page Templates through the web, but sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk from this vulnerability. The problem has been fixed in Zope 5.2 and 4.6. As a workaround, a site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

plone plone

zope zope

Mailing Lists

Full Disclosure: Plone security hotfix 20210518
<!--X-Body-Begin--> <!--X-User-Header--> oss-sec mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> Plone security hotfix 20210518 <!--X-Subject-Header-End--> <!--X-Head-of-Message--> From: Maurits van Rees &lt;maurits () va ...

References

CWE-22https://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36http://www.openwall.com/lists/oss-security/2021/05/21/1http://www.openwall.com/lists/oss-security/2021/05/22/1https://cyllective.com/blog/post/plone-authenticated-rce-cve-2021-32633/https://nvd.nist.govhttp://seclists.org/oss-sec/2021/q2/158
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-4946CVE-2024-30309CVE-2024-4761CVE-2024-30051type confusionmemory leakCVE-2024-30293reflected XSSCVE-2024-3126
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook