Lucene search

[email protected]NVD:CVE-2023-44389

HistoryOct 04, 2023 - 9:15 p.m.

CVE-2023-44389

2023-10-0421:15:10

CWE-79

[email protected]

web.nvd.nist.gov

zope

web application

script execution

security vulnerability

patch release

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

AI Score

4.3

Confidence

High

EPSS

0.001

Percentile

24.4%

JSON

Zope is an open-source web application server. The title property, available on most Zope objects, can be used to store script code that is executed while viewing the affected object in the Zope Management Interface (ZMI). All versions of Zope 4 and Zope 5 are affected. Patches will be released with Zope versions 4.8.11 and 5.8.6.

Affected configurations

Nvd

Node

zopezopeRange4.0–4.8.11

zopezopeRange5.0–5.8.6

VendorProductVersionCPE
zopezope*cpe:2.3:a:zope:zope:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
zope	zope	*	cpe:2.3:a:zope:zope::::::::

References

github.com/zopefoundation/Zope/commit/21dfa78609ffd8b6bd8143805678ebbacae5141a

github.com/zopefoundation/Zope/commit/aeaf2cdc80dff60815e3706af448f086ddc3b98d

github.com/zopefoundation/Zope/security/advisories/GHSA-m755-gxxg-r5qh