The Zope security response team is announcing a fix for a
vulnerability in Zope 2.12.x and Zope 2.13.x that allows execution of
arbitrary code by anonymous users. The hotfix for this vulnerability
was pre-announced last week.

This is a severe vulnerability that allows an unauthenticated attacker
to employ a carefully crafted web request to execute arbitrary
commands with the privileges of the Zope service.

Versions Affected:  Zope 2.12.x and Zope 2.13.x.

Versions Not Affected: Zope 2.11.x, Zope 2.10.x or prior

You can either install the Hotfix as an egg release from or as
an old-style product release available from

Alternatively you can upgrade to the latest bugfix release of Zope.
Versions 2.12.20 and 2.13.10 will be released today and include the
fix for this vulnerability.

Please refer to
for more details.

The Plone community has also released a security hotfix today covering
an additional security issue. If you are using Plone, please refer to

On behalf of the Zope security response team,
Hanno Schlichting
Zope-Dev maillist  -
**  No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to