// For flags

CVE-2024-51734

User data deletion by anoynmous users in Zope

Severity Score

8.7
*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

Zope AccessControl provides a general security framework for use in Zope. In affected versions anonymous users can delete the user data maintained by an `AccessControl.userfolder.UserFolder` which may prevent any privileged access. This problem has been fixed in version 7.2. Users are advised to upgrade. Users unable to upgrade may address the issue by adding `data__roles__ = ()` to `AccessControl.userfolder.UserFolder`.

Zope AccessControl proporciona un marco de seguridad general para su uso en Zope. En las versiones afectadas, los usuarios anónimos pueden eliminar los datos de usuario que se mantienen en un `AccessControl.userfolder.UserFolder`, lo que puede impedir cualquier acceso privilegiado. Este problema se ha solucionado en la versión 7.2. Se recomienda a los usuarios que actualicen la versión. Los usuarios que no puedan actualizar la versión pueden solucionar el problema añadiendo `data__roles__ = ()` a `AccessControl.userfolder.UserFolder`.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User Interaction
None
System
Vulnerable | Subsequent
Confidentiality
None
None
Integrity
High
None
Availability
None
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
None
Automatable
Yes
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-10-31 CVE Reserved
  • 2024-11-04 CVE Published
  • 2024-11-05 EPSS Updated
  • 2024-11-21 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-284: Improper Access Control
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Zopefoundation
Search vendor "Zopefoundation"
AccessControl
Search vendor "Zopefoundation" for product "AccessControl"
< 7.2
Search vendor "Zopefoundation" for product "AccessControl" and version " < 7.2"
en
Affected
Zopefoundation
Search vendor "Zopefoundation"
AccessControl
Search vendor "Zopefoundation" for product "AccessControl"
< 5.11.1
Search vendor "Zopefoundation" for product "AccessControl" and version " < 5.11.1"
en
Affected