CVE-2021-32674 – Remote Code Execution via traversal in TAL expressions
https://notcve.org/view.php?id=CVE-2021-32674
Zope is an open-source web application server. This advisory extends the previous advisory at https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36 with additional cases of TAL expression traversal vulnerabilities. Most Python modules are not available for using in TAL expressions that you can add through-the-web, for example in Zope Page Templates. This restriction avoids file system access, for example via the 'os' module. But some of the untrusted modules are available indirectly through Python modules that are available for direct use. • https://github.com/zopefoundation/Zope/commit/1d897910139e2c0b11984fc9b78c1da1365bec21 https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36 https://github.com/zopefoundation/Zope/security/advisories/GHSA-rpcg-f9q6-2mq6 https://pypi.org/project/Zope • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2021-33507
https://notcve.org/view.php?id=CVE-2021-33507
Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthService before 2.6.2, as used in Plone through 5.2.4 and other products, allow Reflected XSS. Zope Products.CMFCore. versiones anteriores a 2.5.1, y Products.PluggableAuthService versiones anteriores a 2.6.2, como es usado en Plone versiones hasta 5.2.4, y otros productos, permiten un ataque de tipo XSS Reflejado • http://www.openwall.com/lists/oss-security/2021/05/22/1 https://plone.org/security/hotfix/20210518/reflected-xss-in-various-spots • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-32633 – Remote Code Execution via traversal in TAL expressions
https://notcve.org/view.php?id=CVE-2021-32633
Zope is an open-source web application server. In Zope versions prior to 4.6 and 5.2, users can access untrusted modules indirectly through Python modules that are available for direct use. By default, only users with the Manager role can add or edit Zope Page Templates through the web, but sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk from this vulnerability. The problem has been fixed in Zope 5.2 and 4.6. As a workaround, a site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. • http://www.openwall.com/lists/oss-security/2021/05/21/1 http://www.openwall.com/lists/oss-security/2021/05/22/1 https://cyllective.com/blog/post/plone-authenticated-rce-cve-2021-32633 https://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91 https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2021-21360 – Exposure of Sensitive Information to an Unauthorized Actor in Products.GenericSetup
https://notcve.org/view.php?id=CVE-2021-21360
Products.GenericSetup is a mini-framework for expressing the configured state of a Zope Site as a set of filesystem artifacts. In Products.GenericSetup before version 2.1.1 there is an information disclosure vulnerability - anonymous visitors may view log and snapshot files generated by the Generic Setup Tool. The problem has been fixed in version 2.1.1. Depending on how you have installed Products.GenericSetup, you should change the buildout version pin to 2.1.1 and re-run the buildout, or if you used pip simply do pip install `"Products.GenericSetup>=2.1.1"`. Products.GenericSetup es un mini framework para expresar el estado configurado de un sitio Zope como un conjunto de artefactos del sistema de archivos. • http://www.openwall.com/lists/oss-security/2021/05/21/1 http://www.openwall.com/lists/oss-security/2021/05/22/1 https://github.com/zopefoundation/Products.GenericSetup/commit/700319512b3615b3871a1f24e096cf66dc488c57 https://github.com/zopefoundation/Products.GenericSetup/security/advisories/GHSA-jff3-mwp3-f8cw https://pypi.org/project/Products.GenericSetup • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2021-21337 – URL Redirection to Untrusted Site ('Open Redirect') in Products.PluggableAuthService
https://notcve.org/view.php?id=CVE-2021-21337
Products.PluggableAuthService is a pluggable Zope authentication and authorization framework. In Products.PluggableAuthService before version 2.6.0 there is an open redirect vulnerability. A maliciously crafted link to the login form and login functionality could redirect the browser to a different website. The problem has been fixed in version 2.6.1. Depending on how you have installed Products.PluggableAuthService, you should change the buildout version pin to `2.6.1` and re-run the buildout, or if you used `pip` simply do `pip install "Products.PluggableAuthService>=2.6.1". • https://www.exploit-db.com/exploits/49930 http://packetstormsecurity.com/files/162911/Products.PluggableAuthService-2.6.0-Open-Redirect.html https://github.com/zopefoundation/Products.PluggableAuthService/commit/7eead067898852ebd3e0f143bc51295928528dfa https://github.com/zopefoundation/Products.PluggableAuthService/security/advisories/GHSA-p44j-xrqg-4xrr https://pypi.org/project/Products.PluggableAuthService • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •