CRITICAL 9.1

GHSA-g5vw-3h65-2q3v

Access control vulnerable to user data deletion by anonynmous users

Details

### Impact Anonymous users can delete the user data maintained by an `AccessControl.userfolder.UserFolder` which may prevent any privileged access.

### Patches The problem is fixed in version 7.2.

### Workarounds The problem can be fixed by adding `data__roles__ = ()` to `AccessControl.userfolder.UserFolder`.

### References https://github.com/zopefoundation/AccessControl/issues/159

Enter the version of the package you're using.

Introduced in: 0 Fixed in: 7.2

Fix pip install --upgrade 'accesscontrol>=7.2'

Introduced in: 0 Fixed in: 5.11.1

Fix pip install --upgrade 'zope>=5.11.1'