Access control vulnerable to user data deletion by anonynmous users
Anonymous users can delete the user data maintained by an AccessControl.userfolder.UserFolder which may prevent any privileged access.
Advisories for Pypi/AccessControl package
2024
2023
Exposure of Sensitive Information to an Unauthorized Actor
AccessControl provides a general security framework for use in Zope. Python's "format" functionality allows someone controlling the format string to "read" objects accessible (recursively) via attribute access and subscription from accessible objects. Those attribute accesses and subscriptions use Python's full blown getattr and getitem, not the policy restricted AccessControl variants getattr and getitem. This can lead to critical information disclosure. AccessControl already provides a safe variant for str.format and denies …
2021
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Zope is an open-source web application server. Zope versions have a remote code execution security issue.
Improperly Controlled Modification of Dynamically-Determined Object Attributes
The module AccessControl defines security policies for Python code used in restricted code within Zope applications.