Improper Privilege Management

Overview Affected versions of this package are vulnerable to Improper Privilege Management due to the improper enforcement of access controls in the UserFolder component. An attacker can delete user data without proper authorization. Remediation Upgrade AccessControl to version 7.2 or higher...

GHSA-G5VW-3H65-2Q3V Access control vulnerable to user data deletion by anonynmous users

Impact Anonymous users can delete the user data maintained by an AccessControl.userfolder.UserFolder which may prevent any privileged access. Patches The problem is fixed in version 7.2. Workarounds The problem can be fixed by adding dataroles = to AccessControl.userfolder.UserFolder. References...

CVE-2024-51734

Zope AccessControl provides a general security framework for use in Zope. In affected versions anonymous users can delete the user data maintained by an AccessControl.userfolder.UserFolder which may prevent any privileged access. This problem has been fixed in version 7.2. Users are advised to...

CVE-2024-51734

CVE-2024-51734 affects Zope AccessControl prior to version 7.2, where anonymous users can delete data in AccessControl.userfolder.UserFolder, potentially disrupting privileged access. The issue is fixed in 7.2; a workaround is to set data__roles__ = () on the UserFolder. No exploitation details a...

CVE-2024-51734 User data deletion by anoynmous users in Zope

Zope AccessControl provides a general security framework for use in Zope. In affected versions anonymous users can delete the user data maintained by an AccessControl.userfolder.UserFolder which may prevent any privileged access. This problem has been fixed in version 7.2. Users are advised to...

CVE-2024-51734 User data deletion by anoynmous users in Zope

Zope AccessControl provides a general security framework for use in Zope. In affected versions anonymous users can delete the user data maintained by an AccessControl.userfolder.UserFolder which may prevent any privileged access. This problem has been fixed in version 7.2. Users are advised to...

CVE-2024-51734 User data deletion by anoynmous users in Zope

Zope AccessControl provides a general security framework for use in Zope. In affected versions anonymous users can delete the user data maintained by an AccessControl.userfolder.UserFolder which may prevent any privileged access. This problem has been fixed in version 7.2. Users are advised to...

PT-2024-34872 · Zope · Zope Accesscontrol

Name of the Vulnerable Software and Affected Versions: Zope AccessControl versions prior to 7.2 Description: The issue allows anonymous users to delete the user data maintained by an AccessControl.userfolder.UserFolder, which may prevent any privileged access. Recommendations: For versions prior ...

Zope AccessControl 访问控制错误漏洞

Zope AccessControl is the common security framework used in Zope from the Zope Foundation. An access control error vulnerability exists in Zope AccessControl versions prior to 7.2, which stems from an attacker being able to delete user data maintained by AccessControl.userfolder.UserFolder, which...

Mandrake Linux Security Advisory : Zope (MDKSA-2000:043)

The exploit that was not fixed with the previous Zope hotfix involves the getRoles method of user objects contained in the default UserFolder implementation returning a mutable Python type. Because the mutable object is still associated with the persistent User object, users with the ability to...

Mandrake Linux Security Advisory : Zope (MDKSA-2000:035)

A problem exists in the Zope package with the getRoles method of user objects contained in the default UserFolder implementation. Users with the ability to edit DTML could arrange to give themselves extra roles for the duration of a single request by mutating the roles list as a part of the reque...