CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
24.4%
The title property, available on most Zope objects, can be used to store script code that is executed while viewing the affected object in the Zope Management Interface (ZMI) because the title property is displayed unquoted in the breadcrumbs element. All versions of Zope 4 and Zope 5 are affected.
Patches will be released with Zope versions 4.8.11 and 5.8.6.
Make sure only Manager users can edit and view Zope objects in the Zope Management Interface. This is the default.
github.com/advisories/GHSA-m755-gxxg-r5qh
github.com/pypa/advisory-database/tree/main/vulns/zope/PYSEC-2023-193.yaml
github.com/zopefoundation/Zope/commit/21dfa78609ffd8b6bd8143805678ebbacae5141a
github.com/zopefoundation/Zope/commit/aeaf2cdc80dff60815e3706af448f086ddc3b98d
github.com/zopefoundation/Zope/security/advisories/GHSA-m755-gxxg-r5qh
nvd.nist.gov/vuln/detail/CVE-2023-44389