Description
zip.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly enforce access restrictions when including content in a zip archive, which allows remote attackers to obtain sensitive information by reading a generated archive.
Remediation
References
Related Vulnerabilities
Squid NULL Pointer Dereference Vulnerability (CVE-2020-14058)
WordPress Cryptographic Issues Vulnerability (CVE-2009-3622)
Ruby on Rails Improper Authentication Vulnerability (CVE-2012-3424)
MediaWiki Exposure of Resource to Wrong Sphere Vulnerability (CVE-2021-31548)
WordPress Plugin Jetpack-WP Security, Backup, Speed, & Growth Multiple Vulnerabilities (3.7.0)