[Zope-Annce] [Security issue] SQL injection in DTML or in connection objects

Michael Howitz icemac at gmx.net
Wed Feb 12 13:52:52 CET 2020


On behalf of the Plone security team I am announcing this security issue in Zope also here:

CVE Identifier: CVE-2020-7939
Type: SQL injection
Severity: 4.9 – MEDIUM
Affected Zope versions:
 * Zope 2 older than 2.13.30 (2.13.30 is not yet released)
 * Zope 4 older than 4.2

For details see https://plone.org/security/hotfix/20200121/sql-injection-in-dtml-or-in-connection-objects

To fix the issue use the Hotfix provided at https://plone.org/security/hotfix/20200121 (version 1.1 or newer)
or upgrade to Zope 4.2+.
There is no released Zope 2.13 version, yet, which includes the fix. (I hope it will can released soon.)

--
Mit freundlichen Grüßen
Michael Howitz

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: Message signed with OpenPGP
URL: <http://mail.zope.org/pipermail/zope-announce/attachments/20200212/c4092fef/attachment.sig>


More information about the Zope-Announce mailing list