Zope < 2.3.3 ZClass Permission Mapping Modification Local Privilege Escalation
Medium Nessus Network Monitor Plugin ID 1446
SynopsisThe remote host is vulnerable to a flaw which allows for the bypassing of authentication.
DescriptionThe remote web server is a version of Zope which is older than 2.3.3. There is a security issue in all releases prior to version 2.3.3 which allow any user to visit a ZClass declaration and change its permission mappings for methods and other objects defined within the ZClass, possibly allowing unauthorized access within the Zope instance.
SolutionUpdate to Zope 2.3.3 or higher.