We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-51734

User data deletion by anoynmous users in Zope



Description

Zope AccessControl provides a general security framework for use in Zope. In affected versions anonymous users can delete the user data maintained by an `AccessControl.userfolder.UserFolder` which may prevent any privileged access. This problem has been fixed in version 7.2. Users are advised to upgrade. Users unable to upgrade may address the issue by adding `data__roles__ = ()` to `AccessControl.userfolder.UserFolder`.

Reserved 2024-10-31 | Published 2024-11-04 | Updated 2024-11-21 | Assigner GitHub_M


HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-284: Improper Access Control

Product status

Zope AccessControl: < 7.2
affected

Zope bundle: < 5.11.1
affected

References

github.com/...ontrol/security/advisories/GHSA-g5vw-3h65-2q3v

github.com/zopefoundation/AccessControl/issues/159

cve.org (CVE-2024-51734)

nvd.nist.gov (CVE-2024-51734)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-51734

Support options

Helpdesk Chat, Email, Knowledgebase
Telegram Chat
Subscribe to our newsletter to learn more about our work.