Zope

This hub aggregates every CVE we track for Zope, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Zope.

• CVE-2023-44389Zope management interface vulnerable to stored cross site scripting via the title property3.1Oct 4, 2023
• CVE-2023-42458Zope vulnerable to Stored Cross Site Scripting with SVG images3.7Sep 21, 2023
• CVE-2023-41050Information disclosure through Python's "format" functionality in Zope AccessControl6.8Sep 6, 2023
• CVE-2021-32811Remote Code Execution via Script (Python) objects under Python 37.5Aug 2, 2021
• CVE-2021-32807Remote Code Execution via unsafe classes in otherwise permitted modules4.4Jul 30, 2021
• CVE-2021-32674Remote Code Execution via traversal in TAL expressions8.8Jun 8, 2021
• CVE-2021-33507Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthService before 2.6.2, as used in Plone through 5.2.4 and other products, allow Reflected XSS.6.1May 21, 2021
• CVE-2021-32633Remote Code Execution via traversal in TAL expressions6.8May 21, 2021
• CVE-2011-4924Cross-site scripting (XSS) vulnerability in Zope 2.8.x before 2.8.12, 2.9.x before 2.9.12, 2.10.x before 2.10.11, 2.11.x before 2.11.6, and 2.12.x before 2.12.3, 3.1.1 through 3.4.1. allows remote ...6.1Nov 25, 2019
• CVE-2009-5145Cross-site scripting (XSS) vulnerability in ZMI pages that use the manage_tabs_message in Zope 2.11.4, 2.11.2, 2.10.9, 2.10.7, 2.10.6, 2.10.5, 2.10.4, 2.10.2, 2.10.1, 2.12.6.1Aug 7, 2017
• CVE-2012-6661Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, does not reseed the pseudo-random number generator (PRNG), which makes it easier for remote attackers to guess the value vi...5.0Nov 3, 2014
• CVE-2012-5486ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.6.4Sep 30, 2014
• CVE-2012-5507AccessControl/AuthEncoding.py in Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain passwords via vectors involving timing discrepancies in ...4.3Sep 30, 2014
• CVE-2012-5489The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to...6.5Sep 30, 2014
• CVE-2011-3587Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary commands via vectors related to t...9.3Oct 10, 2011