[Zope-dev] [Security issue] SQL injection in DTML or in connection objects
Michael Howitz
icemac at gmx.net
Wed Feb 12 13:52:52 CET 2020
On behalf of the Plone security team I am announcing this security issue in Zope also here:
CVE Identifier: CVE-2020-7939
Type: SQL injection
Severity: 4.9 – MEDIUM
Affected Zope versions:
* Zope 2 older than 2.13.30 (2.13.30 is not yet released)
* Zope 4 older than 4.2
For details see https://plone.org/security/hotfix/20200121/sql-injection-in-dtml-or-in-connection-objects
To fix the issue use the Hotfix provided at https://plone.org/security/hotfix/20200121 (version 1.1 or newer)
or upgrade to Zope 4.2+.
There is no released Zope 2.13 version, yet, which includes the fix. (I hope it will can released soon.)
--
Mit freundlichen Grüßen
Michael Howitz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: Message signed with OpenPGP
URL: <http://mail.zope.org/pipermail/zope-dev/attachments/20200212/c4092fef/attachment.sig>
More information about the Zope-Dev
mailing list