At LWN.net: "Shane Hathaway recently identified a potential security issue in
Zope that could affect sites that let untrusted users write DTML
code. The issue affects Zope versions 2.2.0 through 2.4.1.
The issue involves the 'fmt' attribute of dtml-var tags. Without
this correction, Zope does not check security access to methods
invoked through 'fmt'."