On behalf of the Plone security team I am announcing this security issue in Zope also here:
CVE Identifier: CVE-2020-7939 Type: SQL injection Severity: 4.9 – MEDIUM Affected Zope versions: * Zope 2 older than 2.13.30 (2.13.30 is not yet released) * Zope 4 older than 4.2 For details see https://plone.org/security/hotfix/20200121/sql-injection-in-dtml-or-in-connection-objects To fix the issue use the Hotfix provided at https://plone.org/security/hotfix/20200121 (version 1.1 or newer) or upgrade to Zope 4.2+. There is no released Zope 2.13 version, yet, which includes the fix. (I hope it will can released soon.) -- Mit freundlichen Grüßen Michael Howitz
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )