CVE-2000-0725 — Zope does not properly restrict access to the getRoles method

Description

Zope before 2.2.1 does not properly restrict access to the getRoles method, which allows users who can edit DTML to add or modify roles by modifying the roles list that is included in a request.

How to fix CVE-2000-0725

To remediate CVE-2000-0725, upgrade the affected package to a fixed version below.

PyPI/zope—upgrade to 2.2.1 or later

Is CVE-2000-0725 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.2.1

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2000-0725
WEBweb.archive.org/web/20010219192346/http://archives.neohapsis.com/archives/bugtraq/2000-08/0198.html
WEBweb.archive.org/web/20010219192441/http://archives.neohapsis.com/archives/bugtraq/2000-08/0259.html
WEBweb.archive.org