The Zope security response team is announcing a fix for a
vulnerability in Zope 2.12.x and Zope 2.13.x that allows execution of
arbitrary code by anonymous users. The hotfix for this vulnerability
was pre-announced last week.
This is a severe vulnerability that allows an unauthenticated attacker
to employ a carefully crafted web request to execute arbitrary
commands with the privileges of the Zope service.
Versions Affected: Zope 2.12.x and Zope 2.13.x.
Versions Not Affected: Zope 2.11.x, Zope 2.10.x or prior
You can either install the Hotfix as an egg release from
http://pypi.python.org/pypi/Products.Zope_Hotfix_CVE_2011_3587 or as
an old-style product release available from
Alternatively you can upgrade to the latest bugfix release of Zope.
Versions 2.12.20 and 2.13.10 will be released today and include the
fix for this vulnerability.
Please refer to
for more details.
The Plone community has also released a security hotfix today covering
an additional security issue. If you are using Plone, please refer to
On behalf of the Zope security response team,
Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists -