CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-51734: User data deletion by anoynmous users in Zope

8.7 CVSS

Description

Zope AccessControl provides a general security framework for use in Zope. In affected versions anonymous users can delete the user data maintained by an `AccessControl.userfolder.UserFolder` which may prevent any privileged access. This problem has been fixed in version 7.2. Users are advised to upgrade. Users unable to upgrade may address the issue by adding `data__roles__ = ()` to `AccessControl.userfolder.UserFolder`.

Classification

CVE ID: CVE-2024-51734

CVSS Base Severity: HIGH

CVSS Base Score: 8.7

Affected Products

Vendor: zopefoundation

Product: AccessControl

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.71% (scored less or equal to compared to others)

EPSS Date: 2025-02-20 (when was this score calculated)

References

https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-g5vw-3h65-2q3v
https://github.com/zopefoundation/AccessControl/issues/159

Timeline

2025-01-23 00:30:31 UTC
CVE

User data deletion by anoynmous users in Zope