Mailing List Archive

[Security issue] SQL injection in DTML or in connection objects
On behalf of the Plone security team I am announcing this security issue in Zope also here:

CVE Identifier: CVE-2020-7939
Type: SQL injection
Severity: 4.9 – MEDIUM
Affected Zope versions:
* Zope 2 older than 2.13.30 (2.13.30 is not yet released)
* Zope 4 older than 4.2

For details see https://plone.org/security/hotfix/20200121/sql-injection-in-dtml-or-in-connection-objects

To fix the issue use the Hotfix provided at https://plone.org/security/hotfix/20200121 (version 1.1 or newer)
or upgrade to Zope 4.2+.
There is no released Zope 2.13 version, yet, which includes the fix. (I hope it will can released soon.)

--
Mit freundlichen Grüßen
Michael Howitz