CVE-2010-1104: Moderate severity vulnerability that affects Zope2
4.3
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.62414%
CWE
Published
7/23/2018
Updated
1/9/2023
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
AV:N/AC:M/Au:N/C:N/I:P/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
Zope2 | pip | >= 2.8.0, < 2.8.12 | 2.8.12 |
Zope2 | pip | >= 2.9.0, < 2.9.12 | 2.9.12 |
Zope2 | pip | >= 2.10.0, < 2.10.11 | 2.10.11 |
Zope2 | pip | >= 2.11.0, < 2.11.6 | 2.11.6 |
Zope2 | pip | >= 2.12.0, < 2.12.3 | 2.12.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The Zope announcement explicitly references a broken 'standard_error_message' template as the attack vector. This template handles error display and would be responsible for proper output encoding. The vulnerability manifests when: 1) This template is in a broken/insecure state, and 2) Error messages contain raw HTML markup in their string representation. The combination allows unescaped HTML/script injection into error pages. While exact code isn't available, the template name and error message handling are directly identified in primary sources as the vulnerability location.