GHSA-9cmq-pj6p-hgwf

Suggest an improvement
Source
https://github.com/advisories/GHSA-9cmq-pj6p-hgwf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-9cmq-pj6p-hgwf/GHSA-9cmq-pj6p-hgwf.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-9cmq-pj6p-hgwf
Aliases
  • CVE-2000-0725
Published
2022-04-30T18:14:11Z
Modified
2023-11-08T03:56:44.338376Z
Summary
Zope does not properly restrict access to the getRoles method
Details

Zope before 2.2.1 does not properly restrict access to the getRoles method, which allows users who can edit DTML to add or modify roles by modifying the roles list that is included in a request.

Database specific
{
    "nvd_published_at": "2000-10-20T04:00:00Z",
    "severity": "HIGH",
    "github_reviewed_at": "2023-09-18T22:28:17Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-284"
    ]
}
References

Affected packages

PyPI / zope

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.2.1