{"url":"http://public2.vulnerablecode.io/api/packages/6858?format=json","purl":"pkg:pypi/roundup@0.7.3","type":"pypi","namespace":"","name":"roundup","version":"0.7.3","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.4.5","latest_non_vulnerable_version":"2.5.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/34987?format=json","vulnerability_id":"VCID-1w67-ygzj-fugz","summary":"schema.py in Roundup before 1.5.1 does not properly limit attributes included in default user permissions, which might allow remote authenticated users to obtain sensitive user information by viewing user details.","references":[{"reference_url":"http://hg.code.sf.net/p/roundup/code/rev/a403c29ffaf9","reference_id":"","reference_type":"","scores":[],"url":"http://hg.code.sf.net/p/roundup/code/rev/a403c29ffaf9"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/roundup/PYSEC-2016-33.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/roundup/PYSEC-2016-33.yaml"},{"reference_url":"https://github.com/roundup-tracker/roundup","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/roundup-tracker/roundup"},{"reference_url":"https://sourceforge.net/p/roundup/code/ci/tip/tree/CHANGES.txt","reference_id":"","reference_type":"","scores":[],"url":"https://sourceforge.net/p/roundup/code/ci/tip/tree/CHANGES.txt"},{"reference_url":"http://www.debian.org/security/2016/dsa-3502","reference_id":"","reference_type":"","scores":[],"url":"http://www.debian.org/security/2016/dsa-3502"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-6276","reference_id":"CVE-2014-6276","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-6276"},{"reference_url":"https://github.com/advisories/GHSA-j556-q367-2gw6","reference_id":"GHSA-j556-q367-2gw6","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-j556-q367-2gw6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/9174?format=json","purl":"pkg:pypi/roundup@1.5.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ydc-txfc-pqe6"},{"vulnerability":"VCID-agp7-u68t-abbe"},{"vulnerability":"VCID-be33-dgsb-nycm"},{"vulnerability":"VCID-m8r5-mtwf-cbgm"},{"vulnerability":"VCID-yufw-2bru-h7h1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@1.5.1"}],"aliases":["CVE-2014-6276","GHSA-j556-q367-2gw6","PYSEC-2016-33"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1w67-ygzj-fugz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/34861?format=json","vulnerability_id":"VCID-7kxe-bm1g-eyhe","summary":"Cross-site scripting (XSS) vulnerability in cgi/client.py in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the @action parameter to support/issue1.","references":[{"reference_url":"http://issues.roundup-tracker.org/issue2550711","reference_id":"","reference_type":"","scores":[],"url":"http://issues.roundup-tracker.org/issue2550711"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=722672","reference_id":"","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=722672"},{"reference_url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/84190","reference_id":"","reference_type":"","scores":[],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/84190"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/roundup/PYSEC-2014-16.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/roundup/PYSEC-2014-16.yaml"},{"reference_url":"https://github.com/roundup-tracker/roundup","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/roundup-tracker/roundup"},{"reference_url":"https://github.com/roundup-tracker/roundup/commit/38193cc7d93567e04dae71cf526427473685d35e","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/roundup-tracker/roundup/commit/38193cc7d93567e04dae71cf526427473685d35e"},{"reference_url":"https://github.com/roundup-tracker/roundup/commit/ea29de37416f5b2126b3249cdd6bf12e5098c646","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/roundup-tracker/roundup/commit/ea29de37416f5b2126b3249cdd6bf12e5098c646"},{"reference_url":"https://pypi.python.org/pypi/roundup/1.4.20","reference_id":"","reference_type":"","scores":[],"url":"https://pypi.python.org/pypi/roundup/1.4.20"},{"reference_url":"http://www.openwall.com/lists/oss-security/2012/11/10/2","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2012/11/10/2"},{"reference_url":"http://www.openwall.com/lists/oss-security/2013/02/13/8","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2013/02/13/8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2012-6131","reference_id":"CVE-2012-6131","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2012-6131"},{"reference_url":"https://github.com/advisories/GHSA-gw2q-cgvq-9g3v","reference_id":"GHSA-gw2q-cgvq-9g3v","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-gw2q-cgvq-9g3v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/7967?format=json","purl":"pkg:pypi/roundup@1.4.20","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1w67-ygzj-fugz"},{"vulnerability":"VCID-9ydc-txfc-pqe6"},{"vulnerability":"VCID-agp7-u68t-abbe"},{"vulnerability":"VCID-be33-dgsb-nycm"},{"vulnerability":"VCID-m8r5-mtwf-cbgm"},{"vulnerability":"VCID-yufw-2bru-h7h1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@1.4.20"}],"aliases":["CVE-2012-6131","GHSA-gw2q-cgvq-9g3v","PYSEC-2014-16"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7kxe-bm1g-eyhe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/34860?format=json","vulnerability_id":"VCID-9qv2-nkkm-53ae","summary":"Cross-site scripting (XSS) vulnerability in the history display in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via a username, related to generating a link.","references":[{"reference_url":"http://issues.roundup-tracker.org/issue2550684","reference_id":"","reference_type":"","scores":[],"url":"http://issues.roundup-tracker.org/issue2550684"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=722672","reference_id":"","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=722672"},{"reference_url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/84189","reference_id":"","reference_type":"","scores":[],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/84189"},{"reference_url":"https://pypi.python.org/pypi/roundup/1.4.20","reference_id":"","reference_type":"","scores":[],"url":"https://pypi.python.org/pypi/roundup/1.4.20"},{"reference_url":"http://www.openwall.com/lists/oss-security/2012/11/10/2","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2012/11/10/2"},{"reference_url":"http://www.openwall.com/lists/oss-security/2013/02/13/8","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2013/02/13/8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/7967?format=json","purl":"pkg:pypi/roundup@1.4.20","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1w67-ygzj-fugz"},{"vulnerability":"VCID-9ydc-txfc-pqe6"},{"vulnerability":"VCID-agp7-u68t-abbe"},{"vulnerability":"VCID-be33-dgsb-nycm"},{"vulnerability":"VCID-m8r5-mtwf-cbgm"},{"vulnerability":"VCID-yufw-2bru-h7h1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@1.4.20"}],"aliases":["CVE-2012-6130","PYSEC-2014-15"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9qv2-nkkm-53ae"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37092?format=json","vulnerability_id":"VCID-9ydc-txfc-pqe6","summary":"In Roundup before 2.5.0, XSS can occur via interaction between URLs and issue tracker templates (devel and responsive).","references":[{"reference_url":"https://www.roundup-tracker.org/docs/security.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.roundup-tracker.org/docs/security.html"},{"reference_url":"https://www.roundup-tracker.org/docs/upgrading.html#cve-2025-53865","reference_id":"","reference_type":"","scores":[],"url":"https://www.roundup-tracker.org/docs/upgrading.html#cve-2025-53865"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/46024?format=json","purl":"pkg:pypi/roundup@2.5.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@2.5.0"}],"aliases":["CVE-2025-53865","PYSEC-2025-69"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9ydc-txfc-pqe6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36840?format=json","vulnerability_id":"VCID-agp7-u68t-abbe","summary":"In Roundup before 2.4.0, classhelpers (_generic.help.html) allow XSS.","references":[{"reference_url":"https://www.roundup-tracker.org/","reference_id":"","reference_type":"","scores":[],"url":"https://www.roundup-tracker.org/"},{"reference_url":"https://www.roundup-tracker.org/docs/security.html#cve-announcements","reference_id":"","reference_type":"","scores":[],"url":"https://www.roundup-tracker.org/docs/security.html#cve-announcements"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42115?format=json","purl":"pkg:pypi/roundup@2.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ydc-txfc-pqe6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@2.4.0"}],"aliases":["CVE-2024-39124","PYSEC-2024-63"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-agp7-u68t-abbe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35344?format=json","vulnerability_id":"VCID-be33-dgsb-nycm","summary":"Roundup 1.6 allows XSS via the URI because frontends/roundup.cgi and roundup/cgi/wsgi_handler.py mishandle 404 errors.","references":[{"reference_url":"https://bugs.python.org/issue36391","reference_id":"","reference_type":"","scores":[],"url":"https://bugs.python.org/issue36391"},{"reference_url":"https://github.com/advisories/GHSA-926q-wxr6-3crq","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-926q-wxr6-3crq"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/roundup/PYSEC-2019-201.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/roundup/PYSEC-2019-201.yaml"},{"reference_url":"https://github.com/python/bugs.python.org/issues/34","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/python/bugs.python.org/issues/34"},{"reference_url":"https://github.com/roundup-tracker/roundup","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/roundup-tracker/roundup"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2019/04/msg00009.html","reference_id":"","reference_type":"","scores":[],"url":"https://lists.debian.org/debian-lts-announce/2019/04/msg00009.html"},{"reference_url":"https://pypi.org/project/roundup/2.0.0alpha0","reference_id":"","reference_type":"","scores":[],"url":"https://pypi.org/project/roundup/2.0.0alpha0"},{"reference_url":"https://www.openwall.com/lists/oss-security/2019/04/05/1","reference_id":"","reference_type":"","scores":[],"url":"https://www.openwall.com/lists/oss-security/2019/04/05/1"},{"reference_url":"http://www.openwall.com/lists/oss-security/2019/04/07/1","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2019/04/07/1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10904","reference_id":"CVE-2019-10904","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10904"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/13284?format=json","purl":"pkg:pypi/roundup@2.0.0a0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ydc-txfc-pqe6"},{"vulnerability":"VCID-agp7-u68t-abbe"},{"vulnerability":"VCID-be33-dgsb-nycm"},{"vulnerability":"VCID-m8r5-mtwf-cbgm"},{"vulnerability":"VCID-yufw-2bru-h7h1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@2.0.0a0"},{"url":"http://public2.vulnerablecode.io/api/packages/13286?format=json","purl":"pkg:pypi/roundup@2.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ydc-txfc-pqe6"},{"vulnerability":"VCID-agp7-u68t-abbe"},{"vulnerability":"VCID-m8r5-mtwf-cbgm"},{"vulnerability":"VCID-yufw-2bru-h7h1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@2.0.0"}],"aliases":["CVE-2019-10904","GHSA-926q-wxr6-3crq","PYSEC-2019-201"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-be33-dgsb-nycm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36841?format=json","vulnerability_id":"VCID-m8r5-mtwf-cbgm","summary":"Roundup before 2.4.0 allows XSS via JavaScript in PDF, XML, and SVG documents.","references":[{"reference_url":"https://www.roundup-tracker.org","reference_id":"","reference_type":"","scores":[],"url":"https://www.roundup-tracker.org"},{"reference_url":"https://www.roundup-tracker.org/docs/security.html#cve-announcements","reference_id":"","reference_type":"","scores":[],"url":"https://www.roundup-tracker.org/docs/security.html#cve-announcements"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42115?format=json","purl":"pkg:pypi/roundup@2.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ydc-txfc-pqe6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@2.4.0"}],"aliases":["CVE-2024-39126","PYSEC-2024-65"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-m8r5-mtwf-cbgm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/34703?format=json","vulnerability_id":"VCID-mz57-w4e7-k7gw","summary":"Cross-site scripting (XSS) vulnerability in cgi/client.py in Roundup before 1.4.14 allows remote attackers to inject arbitrary web script or HTML via the template argument to the /issue program.","references":[{"reference_url":"http://bugs.gentoo.org/show_bug.cgi?id=326395","reference_id":"","reference_type":"","scores":[],"url":"http://bugs.gentoo.org/show_bug.cgi?id=326395"},{"reference_url":"http://issues.roundup-tracker.org/issue2550654","reference_id":"","reference_type":"","scores":[],"url":"http://issues.roundup-tracker.org/issue2550654"},{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2010-September/048018.html","reference_id":"","reference_type":"","scores":[],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2010-September/048018.html"},{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2010-September/048061.html","reference_id":"","reference_type":"","scores":[],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2010-September/048061.html"},{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2010-September/048221.html","reference_id":"","reference_type":"","scores":[],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2010-September/048221.html"},{"reference_url":"http://roundup.svn.sourceforge.net/viewvc/roundup/roundup/trunk/roundup/cgi/client.py?r1=4486&r2=4485&pathrev=4486","reference_id":"","reference_type":"","scores":[],"url":"http://roundup.svn.sourceforge.net/viewvc/roundup/roundup/trunk/roundup/cgi/client.py?r1=4486&r2=4485&pathrev=4486"},{"reference_url":"http://roundup.svn.sourceforge.net/viewvc/roundup?view=revision&revision=4486","reference_id":"","reference_type":"","scores":[],"url":"http://roundup.svn.sourceforge.net/viewvc/roundup?view=revision&revision=4486"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=610861","reference_id":"","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=610861"},{"reference_url":"http://secunia.com/advisories/40433","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/40433"},{"reference_url":"http://secunia.com/advisories/41585","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/41585"},{"reference_url":"http://sourceforge.net/mailarchive/message.php?msg_name=AANLkTimIYtyRzTAReGmTSCEqPYBvwkkxrP6YKrdVm_nU%40mail.gmail.com","reference_id":"","reference_type":"","scores":[],"url":"http://sourceforge.net/mailarchive/message.php?msg_name=AANLkTimIYtyRzTAReGmTSCEqPYBvwkkxrP6YKrdVm_nU%40mail.gmail.com"},{"reference_url":"http://www.openwall.com/lists/oss-security/2010/07/02/12","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2010/07/02/12"},{"reference_url":"http://www.openwall.com/lists/oss-security/2010/07/02/3","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2010/07/02/3"},{"reference_url":"http://www.securityfocus.com/bid/41326","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/41326"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/7044?format=json","purl":"pkg:pypi/roundup@1.4.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1w67-ygzj-fugz"},{"vulnerability":"VCID-7kxe-bm1g-eyhe"},{"vulnerability":"VCID-9qv2-nkkm-53ae"},{"vulnerability":"VCID-9ydc-txfc-pqe6"},{"vulnerability":"VCID-agp7-u68t-abbe"},{"vulnerability":"VCID-be33-dgsb-nycm"},{"vulnerability":"VCID-m8r5-mtwf-cbgm"},{"vulnerability":"VCID-rpbj-pyv7-3kag"},{"vulnerability":"VCID-yufw-2bru-h7h1"},{"vulnerability":"VCID-zbqf-gvrf-m3fs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@1.4.14"}],"aliases":["CVE-2010-2491","PYSEC-2010-31"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mz57-w4e7-k7gw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/34859?format=json","vulnerability_id":"VCID-rpbj-pyv7-3kag","summary":"Cross-site scripting (XSS) vulnerability in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the otk parameter.","references":[{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=722672","reference_id":"","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=722672"},{"reference_url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/84191","reference_id":"","reference_type":"","scores":[],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/84191"},{"reference_url":"http://www.openwall.com/lists/oss-security/2012/11/10/2","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2012/11/10/2"},{"reference_url":"http://www.openwall.com/lists/oss-security/2013/02/13/8","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2013/02/13/8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/7967?format=json","purl":"pkg:pypi/roundup@1.4.20","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1w67-ygzj-fugz"},{"vulnerability":"VCID-9ydc-txfc-pqe6"},{"vulnerability":"VCID-agp7-u68t-abbe"},{"vulnerability":"VCID-be33-dgsb-nycm"},{"vulnerability":"VCID-m8r5-mtwf-cbgm"},{"vulnerability":"VCID-yufw-2bru-h7h1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@1.4.20"}],"aliases":["CVE-2012-6132","PYSEC-2014-96"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rpbj-pyv7-3kag"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/34660?format=json","vulnerability_id":"VCID-v7q2-pt76-qbb4","summary":"The xml-rpc server in Roundup 1.4.4 does not check property permissions, which allows attackers to bypass restrictions and edit or read restricted properties via the (1) list, (2) display, and (3) set methods.","references":[{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=436546","reference_id":"","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=436546"},{"reference_url":"http://secunia.com/advisories/29336","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/29336"},{"reference_url":"http://secunia.com/advisories/29375","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/29375"},{"reference_url":"http://secunia.com/advisories/30274","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/30274"},{"reference_url":"http://secunia.com/advisories/32805","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/32805"},{"reference_url":"http://security.gentoo.org/glsa/glsa-200805-21.xml","reference_id":"","reference_type":"","scores":[],"url":"http://security.gentoo.org/glsa/glsa-200805-21.xml"},{"reference_url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/41240","reference_id":"","reference_type":"","scores":[],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/41240"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/roundup/PYSEC-2008-10.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/roundup/PYSEC-2008-10.yaml"},{"reference_url":"https://github.com/roundup-tracker/roundup","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/roundup-tracker/roundup"},{"reference_url":"https://github.com/roundup-tracker/roundup/commit/c00b7e5801f8baa246fa76b4aad5287882310189","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/roundup-tracker/roundup/commit/c00b7e5801f8baa246fa76b4aad5287882310189"},{"reference_url":"http://sourceforge.net/tracker/index.php?func=detail&aid=1907211&group_id=31577&atid=402788","reference_id":"","reference_type":"","scores":[],"url":"http://sourceforge.net/tracker/index.php?func=detail&aid=1907211&group_id=31577&atid=402788"},{"reference_url":"https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00264.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00264.html"},{"reference_url":"https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00375.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00375.html"},{"reference_url":"https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00452.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00452.html"},{"reference_url":"https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00478.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00478.html"},{"reference_url":"http://www.securityfocus.com/bid/28238","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/28238"},{"reference_url":"http://www.vupen.com/english/advisories/2008/0891","reference_id":"","reference_type":"","scores":[],"url":"http://www.vupen.com/english/advisories/2008/0891"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2008-1475","reference_id":"CVE-2008-1475","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2008-1475"},{"reference_url":"https://github.com/advisories/GHSA-j59j-h3g7-cpmf","reference_id":"GHSA-j59j-h3g7-cpmf","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-j59j-h3g7-cpmf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/6891?format=json","purl":"pkg:pypi/roundup@1.4.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@1.4.5"}],"aliases":["CVE-2008-1475","GHSA-j59j-h3g7-cpmf","PYSEC-2008-10"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v7q2-pt76-qbb4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/34659?format=json","vulnerability_id":"VCID-vg3s-h9xc-83cx","summary":"Multiple unspecified vulnerabilities in Roundup before 1.4.4 have unknown impact and attack vectors, some of which may be related to cross-site scripting (XSS).","references":[{"reference_url":"http://roundup.cvs.sourceforge.net/roundup/roundup/CHANGES.txt?revision=1.939&view=markup","reference_id":"","reference_type":"","scores":[],"url":"http://roundup.cvs.sourceforge.net/roundup/roundup/CHANGES.txt?revision=1.939&view=markup"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=436546","reference_id":"","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=436546"},{"reference_url":"http://secunia.com/advisories/29336","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/29336"},{"reference_url":"http://secunia.com/advisories/29375","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/29375"},{"reference_url":"http://secunia.com/advisories/29848","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/29848"},{"reference_url":"http://secunia.com/advisories/30274","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/30274"},{"reference_url":"http://security.gentoo.org/glsa/glsa-200805-21.xml","reference_id":"","reference_type":"","scores":[],"url":"http://security.gentoo.org/glsa/glsa-200805-21.xml"},{"reference_url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/41241","reference_id":"","reference_type":"","scores":[],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/41241"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/roundup/PYSEC-2008-9.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/roundup/PYSEC-2008-9.yaml"},{"reference_url":"https://github.com/roundup-tracker/roundup","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/roundup-tracker/roundup"},{"reference_url":"https://github.com/roundup-tracker/roundup/commit/151ffd3367e7af563a92aabb3a8034a0f49063d9","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/roundup-tracker/roundup/commit/151ffd3367e7af563a92aabb3a8034a0f49063d9"},{"reference_url":"https://lists.debian.org/debian-security-announce/2008/msg00125.html","reference_id":"","reference_type":"","scores":[],"url":"https://lists.debian.org/debian-security-announce/2008/msg00125.html"},{"reference_url":"https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00264.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00264.html"},{"reference_url":"https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00375.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00375.html"},{"reference_url":"http://www.debian.org/security/2008/dsa-1554","reference_id":"","reference_type":"","scores":[],"url":"http://www.debian.org/security/2008/dsa-1554"},{"reference_url":"http://www.securityfocus.com/bid/28239","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/28239"},{"reference_url":"http://www.vupen.com/english/advisories/2008/0891","reference_id":"","reference_type":"","scores":[],"url":"http://www.vupen.com/english/advisories/2008/0891"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2008-1474","reference_id":"CVE-2008-1474","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2008-1474"},{"reference_url":"https://github.com/advisories/GHSA-c3qv-mf8h-434r","reference_id":"GHSA-c3qv-mf8h-434r","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-c3qv-mf8h-434r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/6890?format=json","purl":"pkg:pypi/roundup@1.4.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1w67-ygzj-fugz"},{"vulnerability":"VCID-7kxe-bm1g-eyhe"},{"vulnerability":"VCID-9qv2-nkkm-53ae"},{"vulnerability":"VCID-9ydc-txfc-pqe6"},{"vulnerability":"VCID-agp7-u68t-abbe"},{"vulnerability":"VCID-be33-dgsb-nycm"},{"vulnerability":"VCID-m8r5-mtwf-cbgm"},{"vulnerability":"VCID-mz57-w4e7-k7gw"},{"vulnerability":"VCID-rpbj-pyv7-3kag"},{"vulnerability":"VCID-v7q2-pt76-qbb4"},{"vulnerability":"VCID-yufw-2bru-h7h1"},{"vulnerability":"VCID-zbqf-gvrf-m3fs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@1.4.4"}],"aliases":["CVE-2008-1474","GHSA-c3qv-mf8h-434r","PYSEC-2008-9"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vg3s-h9xc-83cx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36842?format=json","vulnerability_id":"VCID-yufw-2bru-h7h1","summary":"Roundup before 2.4.0 allows XSS via a SCRIPT element in an HTTP Referer header.","references":[{"reference_url":"https://www.roundup-tracker.org","reference_id":"","reference_type":"","scores":[],"url":"https://www.roundup-tracker.org"},{"reference_url":"https://www.roundup-tracker.org/docs/security.html#cve-announcements","reference_id":"","reference_type":"","scores":[],"url":"https://www.roundup-tracker.org/docs/security.html#cve-announcements"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42115?format=json","purl":"pkg:pypi/roundup@2.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ydc-txfc-pqe6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@2.4.0"}],"aliases":["CVE-2024-39125","PYSEC-2024-64"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yufw-2bru-h7h1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35503?format=json","vulnerability_id":"VCID-zbqf-gvrf-m3fs","summary":"Multiple cross-site scripting (XSS) vulnerabilities in Roundup before 1.4.20 allow remote attackers to inject arbitrary web script or HTML via the (1) @ok_message or (2) @error_message parameter to issue*.","references":[{"reference_url":"http://issues.roundup-tracker.org/issue2550724","reference_id":"","reference_type":"","scores":[],"url":"http://issues.roundup-tracker.org/issue2550724"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=722672","reference_id":"","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=722672"},{"reference_url":"https://github.com/advisories/GHSA-5jq3-8437-x35p","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-5jq3-8437-x35p"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/roundup/PYSEC-2020-212.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/roundup/PYSEC-2020-212.yaml"},{"reference_url":"https://pypi.python.org/pypi/roundup/1.4.20","reference_id":"","reference_type":"","scores":[],"url":"https://pypi.python.org/pypi/roundup/1.4.20"},{"reference_url":"http://www.openwall.com/lists/oss-security/2012/11/10/2","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2012/11/10/2"},{"reference_url":"http://www.openwall.com/lists/oss-security/2013/02/13/8","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2013/02/13/8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2012-6133","reference_id":"CVE-2012-6133","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2012-6133"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/7967?format=json","purl":"pkg:pypi/roundup@1.4.20","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1w67-ygzj-fugz"},{"vulnerability":"VCID-9ydc-txfc-pqe6"},{"vulnerability":"VCID-agp7-u68t-abbe"},{"vulnerability":"VCID-be33-dgsb-nycm"},{"vulnerability":"VCID-m8r5-mtwf-cbgm"},{"vulnerability":"VCID-yufw-2bru-h7h1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@1.4.20"}],"aliases":["CVE-2012-6133","GHSA-5jq3-8437-x35p","PYSEC-2020-212"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zbqf-gvrf-m3fs"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43056?format=json","vulnerability_id":"VCID-b252-jrdw-6bcm","summary":"Roundup Directory traversal vulnerability\nDirectory traversal vulnerability in Roundup 0.6.4 and earlier allows remote attackers to view arbitrary files via `..` (dot dot) sequences in an `@@` command in an HTTP GET request.","references":[{"reference_url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/16350","reference_id":"","reference_type":"","scores":[],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/16350"},{"reference_url":"https://github.com/roundup-tracker/roundup","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/roundup-tracker/roundup"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2004-1444","reference_id":"CVE-2004-1444","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2004-1444"},{"reference_url":"https://github.com/advisories/GHSA-q7mf-hp9m-cx6f","reference_id":"GHSA-q7mf-hp9m-cx6f","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-q7mf-hp9m-cx6f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/6858?format=json","purl":"pkg:pypi/roundup@0.7.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1w67-ygzj-fugz"},{"vulnerability":"VCID-7kxe-bm1g-eyhe"},{"vulnerability":"VCID-9qv2-nkkm-53ae"},{"vulnerability":"VCID-9ydc-txfc-pqe6"},{"vulnerability":"VCID-agp7-u68t-abbe"},{"vulnerability":"VCID-be33-dgsb-nycm"},{"vulnerability":"VCID-m8r5-mtwf-cbgm"},{"vulnerability":"VCID-mz57-w4e7-k7gw"},{"vulnerability":"VCID-rpbj-pyv7-3kag"},{"vulnerability":"VCID-v7q2-pt76-qbb4"},{"vulnerability":"VCID-vg3s-h9xc-83cx"},{"vulnerability":"VCID-yufw-2bru-h7h1"},{"vulnerability":"VCID-zbqf-gvrf-m3fs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@0.7.3"}],"aliases":["CVE-2004-1444","GHSA-q7mf-hp9m-cx6f"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-b252-jrdw-6bcm"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@0.7.3"}