GHSA-jff3-mwp3-f8cw

### Impact
_What kind of vulnerability is it? Who is impacted?_

Information disclosure vulnerability - anonymous visitors may view log and snapshot files generated by the Generic Setup Tool.

### Patches
_Has the problem been patched? What versions should users upgrade to?_

The problem has been fixed in version 2.1.1. Depending on how you have installed Products.GenericSetup, you should change the buildout version pin to 2.1.1 and re-run the buildout, or if you used pip simply do pip install `"Products.GenericSetup>=2.1.1"`

### Workarounds
_Is there a way for users to fix or remediate the vulnerability without upgrading?_

Visit the ZMI Security tab at `portal_setup/manage_access` and click on the link _Access contents information_. On the next page, uncheck the box _Also use roles acquired from folders containing this objects_ at the bottom and check the boxes for _Manager_ and _Owner_. Then click on _Save Changes_. Return to the ZMI Security tab at `portal_setup/manage_access` and scroll down to the link _View_. Click on _View_, uncheck the box _Also use roles acquired from folders containing this objects_ at the bottom and check the boxes for _Manager_ and _Owner_. Then click on _Save Changes_.

### References
_Are there any links users can visit to find out more?_

- [GHSA-jff3-mwp3-f8cw](https://github.com/zopefoundation/Products.GenericSetup/security/advisories/GHSA-jff3-mwp3-f8cw)
- [Products.GenericSetup on PyPI](https://pypi.org/project/Products.GenericSetup/)
- [Definition of information disclosure at MITRE](https://cwe.mitre.org/data/definitions/200.html)

### For more information
If you have any questions or comments about this advisory:
* Open an issue in the [Products.GenericSetup issue tracker](https://github.com/zopefoundation/Products.GenericSetup/issues)
* Email us at [[email protected]](mailto:[email protected])