User data deletion by anoynmous users
Package
AccessControl
Affected versions
< 7.2
Patched versions
7.2
Zope
< 5.11.1
5.11.1
Description
Credits
-
n1k9 Reporter
-
d-maurer Remediation developer
-
perrinjerome Remediation reviewer
-
dataflake Remediation reviewer
Impact
Anonymous users can delete the user data maintained by an
AccessControl.userfolder.UserFolderwhich may prevent any privileged access.Patches
The problem is fixed in version 7.2.
Workarounds
The problem can be fixed by adding
data__roles__ = ()toAccessControl.userfolder.UserFolder.References
#159