Description
Zope before 2.2.1 does not properly restrict access to the getRoles method, which allows users who can edit DTML to add or modify roles by modifying the roles list that is included in a request.
Remediation
References
Related Vulnerabilities
WordPress Plugin Swipe Checkout for eShop Cross-Site Scripting (3.7.0)
Plone CMS Use of Externally-Controlled Format String Vulnerability (CVE-2017-5524)
Ruby on Rails Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2008-5189)
WordPress Plugin AJAX Random Post Cross-Site Scripting (2.00)
Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-2367)