Zope XSS vulnerability, please update your sites

by Alexander Limi — last modified Mar 21, 2007 06:15 AM

A vulnerability has been discovered in Zope, whereby misuse of certain types of HTTP GET could lead to elevated privileges. All Zope versions up to and including 2.10.2 are affected.

The full description along with the hotfix for Zope 2.7, 2.8, 2.9 and 2.10 is available from the zope.org site.

The upcoming releases of Zope will have this fix included, in the meantime, please download the hotfix for your installations. Unpack the product and restart Zope, and the vulnerability will be patched.

You are only affected by this vulnerability if you allow untrusted users to log in to your site and create content.

This news item will be updated once a CVE number has been assigned.