In Zope version 2.3.1 b1 and earlier, a user with through-the-web scripting capabilities can view and assign class attributes to ZClasses, possibly allowing them to make inappropriate changes to ZClass instances.
CVE 2000-0483
An inadequately protected method in one of
the base classes in the DocumentTemplate package could allow
the contents of DTMLDocuments or DTMLMethods to be changed
remotely or through DTML code without forcing proper user
authorization. All Zope versions prior to 2.1.7, and Zope
2.2 beta versions prior to 2.2 beta 1 are affected by this
vulnerability.
CVE 2001-0128
A vulnerability in the calculation of Local Roles in Zope
2.2.4 and earlier could allow a local user to gain privileges.
Zope fails to properly check for folder hierarchy when calculating local roles.
A local attacker could use this vulnerability to gain unauthorized access
to folders.
CVE 2000-0725
A vulnerability in the getRoles method of user objects contained
in the default UserFolder implementation could
allow users with the ability to edit DTML to
give themselves extra roles for the duration of a single
request. All Zope versions prior to 2.2.1 beta 1 are affected by
this vulnerability.
CVE 2000-0062
A problem in the DTML implementation in
Zope 2.x versions prior to 2.1.2 and Zope 1.x versions
prior to 1.10.4 could allow an attacker to perform
unauthorized activities on the server.
For users who are unable or do not wish to upgrade, hotfixes have been made available to fix each of the above vulnerabilities.
For general information about Zope, see An Introduction to Zope by Brian Lloyd.