Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/roundup@1.4.15

Type pypi

Namespace

Name roundup

Version 1.4.15

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 2.5.0

Latest_non_vulnerable_version 2.5.0

Affected_by_vulnerabilities

url VCID-1w67-ygzj-fugz

vulnerability_id VCID-1w67-ygzj-fugz

summary schema.py in Roundup before 1.5.1 does not properly limit attributes included in default user permissions, which might allow remote authenticated users to obtain sensitive user information by viewing user details.

references

reference_url	http://hg.code.sf.net/p/roundup/code/rev/a403c29ffaf9
reference_id
reference_type
scores
url	http://hg.code.sf.net/p/roundup/code/rev/a403c29ffaf9

reference_url	https://github.com/pypa/advisory-database/tree/main/vulns/roundup/PYSEC-2016-33.yaml
reference_id
reference_type
scores
url	https://github.com/pypa/advisory-database/tree/main/vulns/roundup/PYSEC-2016-33.yaml

reference_url	https://github.com/roundup-tracker/roundup
reference_id
reference_type
scores
url	https://github.com/roundup-tracker/roundup

reference_url	https://sourceforge.net/p/roundup/code/ci/tip/tree/CHANGES.txt
reference_id
reference_type
scores
url	https://sourceforge.net/p/roundup/code/ci/tip/tree/CHANGES.txt

reference_url	http://www.debian.org/security/2016/dsa-3502
reference_id
reference_type
scores
url	http://www.debian.org/security/2016/dsa-3502

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2014-6276
reference_id	CVE-2014-6276
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2014-6276

reference_url	https://github.com/advisories/GHSA-j556-q367-2gw6
reference_id	GHSA-j556-q367-2gw6
reference_type
scores
url	https://github.com/advisories/GHSA-j556-q367-2gw6

fixed_packages

url pkg:pypi/roundup@1.5.1

purl pkg:pypi/roundup@1.5.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9ydc-txfc-pqe6

vulnerability	VCID-agp7-u68t-abbe

vulnerability	VCID-be33-dgsb-nycm

vulnerability	VCID-m8r5-mtwf-cbgm

vulnerability	VCID-yufw-2bru-h7h1

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@1.5.1

aliases CVE-2014-6276, GHSA-j556-q367-2gw6, PYSEC-2016-33

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1w67-ygzj-fugz

url VCID-7kxe-bm1g-eyhe

vulnerability_id VCID-7kxe-bm1g-eyhe

summary Cross-site scripting (XSS) vulnerability in cgi/client.py in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the @action parameter to support/issue1.

references

reference_url	http://issues.roundup-tracker.org/issue2550711
reference_id
reference_type
scores
url	http://issues.roundup-tracker.org/issue2550711

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=722672
reference_id
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=722672

reference_url	https://exchange.xforce.ibmcloud.com/vulnerabilities/84190
reference_id
reference_type
scores
url	https://exchange.xforce.ibmcloud.com/vulnerabilities/84190

reference_url	https://github.com/pypa/advisory-database/tree/main/vulns/roundup/PYSEC-2014-16.yaml
reference_id
reference_type
scores
url	https://github.com/pypa/advisory-database/tree/main/vulns/roundup/PYSEC-2014-16.yaml

reference_url	https://github.com/roundup-tracker/roundup
reference_id
reference_type
scores
url	https://github.com/roundup-tracker/roundup

reference_url	https://github.com/roundup-tracker/roundup/commit/38193cc7d93567e04dae71cf526427473685d35e
reference_id
reference_type
scores
url	https://github.com/roundup-tracker/roundup/commit/38193cc7d93567e04dae71cf526427473685d35e

reference_url	https://github.com/roundup-tracker/roundup/commit/ea29de37416f5b2126b3249cdd6bf12e5098c646
reference_id
reference_type
scores
url	https://github.com/roundup-tracker/roundup/commit/ea29de37416f5b2126b3249cdd6bf12e5098c646

reference_url	https://pypi.python.org/pypi/roundup/1.4.20
reference_id
reference_type
scores
url	https://pypi.python.org/pypi/roundup/1.4.20

reference_url	http://www.openwall.com/lists/oss-security/2012/11/10/2
reference_id
reference_type
scores
url	http://www.openwall.com/lists/oss-security/2012/11/10/2

reference_url	http://www.openwall.com/lists/oss-security/2013/02/13/8
reference_id
reference_type
scores
url	http://www.openwall.com/lists/oss-security/2013/02/13/8

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2012-6131
reference_id	CVE-2012-6131
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2012-6131

reference_url	https://github.com/advisories/GHSA-gw2q-cgvq-9g3v
reference_id	GHSA-gw2q-cgvq-9g3v
reference_type
scores
url	https://github.com/advisories/GHSA-gw2q-cgvq-9g3v

fixed_packages

url pkg:pypi/roundup@1.4.20

purl pkg:pypi/roundup@1.4.20

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1w67-ygzj-fugz

vulnerability	VCID-9ydc-txfc-pqe6

vulnerability	VCID-agp7-u68t-abbe

vulnerability	VCID-be33-dgsb-nycm

vulnerability	VCID-m8r5-mtwf-cbgm

vulnerability	VCID-yufw-2bru-h7h1

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@1.4.20

aliases CVE-2012-6131, GHSA-gw2q-cgvq-9g3v, PYSEC-2014-16

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7kxe-bm1g-eyhe

url VCID-9qv2-nkkm-53ae

vulnerability_id VCID-9qv2-nkkm-53ae

summary Cross-site scripting (XSS) vulnerability in the history display in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via a username, related to generating a link.

references

reference_url	http://issues.roundup-tracker.org/issue2550684
reference_id
reference_type
scores
url	http://issues.roundup-tracker.org/issue2550684

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=722672
reference_id
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=722672

reference_url	https://exchange.xforce.ibmcloud.com/vulnerabilities/84189
reference_id
reference_type
scores
url	https://exchange.xforce.ibmcloud.com/vulnerabilities/84189

reference_url	https://pypi.python.org/pypi/roundup/1.4.20
reference_id
reference_type
scores
url	https://pypi.python.org/pypi/roundup/1.4.20

reference_url	http://www.openwall.com/lists/oss-security/2012/11/10/2
reference_id
reference_type
scores
url	http://www.openwall.com/lists/oss-security/2012/11/10/2

reference_url	http://www.openwall.com/lists/oss-security/2013/02/13/8
reference_id
reference_type
scores
url	http://www.openwall.com/lists/oss-security/2013/02/13/8

fixed_packages

url pkg:pypi/roundup@1.4.20

purl pkg:pypi/roundup@1.4.20

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1w67-ygzj-fugz

vulnerability	VCID-9ydc-txfc-pqe6

vulnerability	VCID-agp7-u68t-abbe

vulnerability	VCID-be33-dgsb-nycm

vulnerability	VCID-m8r5-mtwf-cbgm

vulnerability	VCID-yufw-2bru-h7h1

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@1.4.20

aliases CVE-2012-6130, PYSEC-2014-15

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9qv2-nkkm-53ae

url VCID-9ydc-txfc-pqe6

vulnerability_id VCID-9ydc-txfc-pqe6

summary In Roundup before 2.5.0, XSS can occur via interaction between URLs and issue tracker templates (devel and responsive).

references

reference_url	https://www.roundup-tracker.org/docs/security.html
reference_id
reference_type
scores
url	https://www.roundup-tracker.org/docs/security.html

reference_url	https://www.roundup-tracker.org/docs/upgrading.html#cve-2025-53865
reference_id
reference_type
scores
url	https://www.roundup-tracker.org/docs/upgrading.html#cve-2025-53865

fixed_packages

url	pkg:pypi/roundup@2.5.0
purl	pkg:pypi/roundup@2.5.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@2.5.0

aliases CVE-2025-53865, PYSEC-2025-69

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9ydc-txfc-pqe6

url VCID-agp7-u68t-abbe

vulnerability_id VCID-agp7-u68t-abbe

summary In Roundup before 2.4.0, classhelpers (_generic.help.html) allow XSS.

references

reference_url	https://www.roundup-tracker.org/
reference_id
reference_type
scores
url	https://www.roundup-tracker.org/

reference_url	https://www.roundup-tracker.org/docs/security.html#cve-announcements
reference_id
reference_type
scores
url	https://www.roundup-tracker.org/docs/security.html#cve-announcements

fixed_packages

url pkg:pypi/roundup@2.4.0

purl pkg:pypi/roundup@2.4.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9ydc-txfc-pqe6

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@2.4.0

aliases CVE-2024-39124, PYSEC-2024-63

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-agp7-u68t-abbe

url VCID-be33-dgsb-nycm

vulnerability_id VCID-be33-dgsb-nycm

summary Roundup 1.6 allows XSS via the URI because frontends/roundup.cgi and roundup/cgi/wsgi_handler.py mishandle 404 errors.

references

reference_url	https://bugs.python.org/issue36391
reference_id
reference_type
scores
url	https://bugs.python.org/issue36391

reference_url	https://github.com/advisories/GHSA-926q-wxr6-3crq
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-926q-wxr6-3crq

reference_url	https://github.com/pypa/advisory-database/tree/main/vulns/roundup/PYSEC-2019-201.yaml
reference_id
reference_type
scores
url	https://github.com/pypa/advisory-database/tree/main/vulns/roundup/PYSEC-2019-201.yaml

reference_url	https://github.com/python/bugs.python.org/issues/34
reference_id
reference_type
scores
url	https://github.com/python/bugs.python.org/issues/34

reference_url	https://github.com/roundup-tracker/roundup
reference_id
reference_type
scores
url	https://github.com/roundup-tracker/roundup

reference_url	https://lists.debian.org/debian-lts-announce/2019/04/msg00009.html
reference_id
reference_type
scores
url	https://lists.debian.org/debian-lts-announce/2019/04/msg00009.html

reference_url	https://pypi.org/project/roundup/2.0.0alpha0
reference_id
reference_type
scores
url	https://pypi.org/project/roundup/2.0.0alpha0

reference_url	https://www.openwall.com/lists/oss-security/2019/04/05/1
reference_id
reference_type
scores
url	https://www.openwall.com/lists/oss-security/2019/04/05/1

reference_url	http://www.openwall.com/lists/oss-security/2019/04/07/1
reference_id
reference_type
scores
url	http://www.openwall.com/lists/oss-security/2019/04/07/1

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2019-10904
reference_id	CVE-2019-10904
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2019-10904

fixed_packages

url pkg:pypi/roundup@2.0.0a0

purl pkg:pypi/roundup@2.0.0a0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9ydc-txfc-pqe6

vulnerability	VCID-agp7-u68t-abbe

vulnerability	VCID-be33-dgsb-nycm

vulnerability	VCID-m8r5-mtwf-cbgm

vulnerability	VCID-yufw-2bru-h7h1

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@2.0.0a0

url pkg:pypi/roundup@2.0.0

purl pkg:pypi/roundup@2.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9ydc-txfc-pqe6

vulnerability	VCID-agp7-u68t-abbe

vulnerability	VCID-m8r5-mtwf-cbgm

vulnerability	VCID-yufw-2bru-h7h1

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@2.0.0

aliases CVE-2019-10904, GHSA-926q-wxr6-3crq, PYSEC-2019-201

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-be33-dgsb-nycm

url VCID-m8r5-mtwf-cbgm

vulnerability_id VCID-m8r5-mtwf-cbgm

summary Roundup before 2.4.0 allows XSS via JavaScript in PDF, XML, and SVG documents.

references

reference_url	https://www.roundup-tracker.org
reference_id
reference_type
scores
url	https://www.roundup-tracker.org

reference_url	https://www.roundup-tracker.org/docs/security.html#cve-announcements
reference_id
reference_type
scores
url	https://www.roundup-tracker.org/docs/security.html#cve-announcements

fixed_packages

url pkg:pypi/roundup@2.4.0

purl pkg:pypi/roundup@2.4.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9ydc-txfc-pqe6

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@2.4.0

aliases CVE-2024-39126, PYSEC-2024-65

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-m8r5-mtwf-cbgm

url VCID-rpbj-pyv7-3kag

vulnerability_id VCID-rpbj-pyv7-3kag

summary Cross-site scripting (XSS) vulnerability in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the otk parameter.

references

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=722672
reference_id
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=722672

reference_url	https://exchange.xforce.ibmcloud.com/vulnerabilities/84191
reference_id
reference_type
scores
url	https://exchange.xforce.ibmcloud.com/vulnerabilities/84191

reference_url	http://www.openwall.com/lists/oss-security/2012/11/10/2
reference_id
reference_type
scores
url	http://www.openwall.com/lists/oss-security/2012/11/10/2

reference_url	http://www.openwall.com/lists/oss-security/2013/02/13/8
reference_id
reference_type
scores
url	http://www.openwall.com/lists/oss-security/2013/02/13/8

fixed_packages

url pkg:pypi/roundup@1.4.20

purl pkg:pypi/roundup@1.4.20

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1w67-ygzj-fugz

vulnerability	VCID-9ydc-txfc-pqe6

vulnerability	VCID-agp7-u68t-abbe

vulnerability	VCID-be33-dgsb-nycm

vulnerability	VCID-m8r5-mtwf-cbgm

vulnerability	VCID-yufw-2bru-h7h1

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@1.4.20

aliases CVE-2012-6132, PYSEC-2014-96

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rpbj-pyv7-3kag

url VCID-yufw-2bru-h7h1

vulnerability_id VCID-yufw-2bru-h7h1

summary Roundup before 2.4.0 allows XSS via a SCRIPT element in an HTTP Referer header.

references

reference_url	https://www.roundup-tracker.org
reference_id
reference_type
scores
url	https://www.roundup-tracker.org

reference_url	https://www.roundup-tracker.org/docs/security.html#cve-announcements
reference_id
reference_type
scores
url	https://www.roundup-tracker.org/docs/security.html#cve-announcements

fixed_packages

url pkg:pypi/roundup@2.4.0

purl pkg:pypi/roundup@2.4.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9ydc-txfc-pqe6

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@2.4.0

aliases CVE-2024-39125, PYSEC-2024-64

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yufw-2bru-h7h1

url VCID-zbqf-gvrf-m3fs

vulnerability_id VCID-zbqf-gvrf-m3fs

summary Multiple cross-site scripting (XSS) vulnerabilities in Roundup before 1.4.20 allow remote attackers to inject arbitrary web script or HTML via the (1) @ok_message or (2) @error_message parameter to issue*.

references

reference_url	http://issues.roundup-tracker.org/issue2550724
reference_id
reference_type
scores
url	http://issues.roundup-tracker.org/issue2550724

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=722672
reference_id
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=722672

reference_url	https://github.com/advisories/GHSA-5jq3-8437-x35p
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-5jq3-8437-x35p

reference_url	https://github.com/pypa/advisory-database/tree/main/vulns/roundup/PYSEC-2020-212.yaml
reference_id
reference_type
scores
url	https://github.com/pypa/advisory-database/tree/main/vulns/roundup/PYSEC-2020-212.yaml

reference_url	https://pypi.python.org/pypi/roundup/1.4.20
reference_id
reference_type
scores
url	https://pypi.python.org/pypi/roundup/1.4.20

reference_url	http://www.openwall.com/lists/oss-security/2012/11/10/2
reference_id
reference_type
scores
url	http://www.openwall.com/lists/oss-security/2012/11/10/2

reference_url	http://www.openwall.com/lists/oss-security/2013/02/13/8
reference_id
reference_type
scores
url	http://www.openwall.com/lists/oss-security/2013/02/13/8

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2012-6133
reference_id	CVE-2012-6133
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2012-6133

fixed_packages

url pkg:pypi/roundup@1.4.20

purl pkg:pypi/roundup@1.4.20

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1w67-ygzj-fugz

vulnerability	VCID-9ydc-txfc-pqe6

vulnerability	VCID-agp7-u68t-abbe

vulnerability	VCID-be33-dgsb-nycm

vulnerability	VCID-m8r5-mtwf-cbgm

vulnerability	VCID-yufw-2bru-h7h1

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@1.4.20

aliases CVE-2012-6133, GHSA-5jq3-8437-x35p, PYSEC-2020-212

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zbqf-gvrf-m3fs

Fixing_vulnerabilities

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@1.4.15

Package Instance