{"url":"http://public2.vulnerablecode.io/api/packages/7967?format=json","purl":"pkg:pypi/roundup@1.4.20","type":"pypi","namespace":"","name":"roundup","version":"1.4.20","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.5.0","latest_non_vulnerable_version":"2.5.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/34987?format=json","vulnerability_id":"VCID-1w67-ygzj-fugz","summary":"schema.py in Roundup before 1.5.1 does not properly limit attributes included in default user permissions, which might allow remote authenticated users to obtain sensitive user information by viewing user details.","references":[{"reference_url":"http://hg.code.sf.net/p/roundup/code/rev/a403c29ffaf9","reference_id":"","reference_type":"","scores":[],"url":"http://hg.code.sf.net/p/roundup/code/rev/a403c29ffaf9"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/roundup/PYSEC-2016-33.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/roundup/PYSEC-2016-33.yaml"},{"reference_url":"https://github.com/roundup-tracker/roundup","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/roundup-tracker/roundup"},{"reference_url":"https://sourceforge.net/p/roundup/code/ci/tip/tree/CHANGES.txt","reference_id":"","reference_type":"","scores":[],"url":"https://sourceforge.net/p/roundup/code/ci/tip/tree/CHANGES.txt"},{"reference_url":"http://www.debian.org/security/2016/dsa-3502","reference_id":"","reference_type":"","scores":[],"url":"http://www.debian.org/security/2016/dsa-3502"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-6276","reference_id":"CVE-2014-6276","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-6276"},{"reference_url":"https://github.com/advisories/GHSA-j556-q367-2gw6","reference_id":"GHSA-j556-q367-2gw6","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-j556-q367-2gw6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/9174?format=json","purl":"pkg:pypi/roundup@1.5.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ydc-txfc-pqe6"},{"vulnerability":"VCID-agp7-u68t-abbe"},{"vulnerability":"VCID-be33-dgsb-nycm"},{"vulnerability":"VCID-m8r5-mtwf-cbgm"},{"vulnerability":"VCID-yufw-2bru-h7h1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@1.5.1"}],"aliases":["CVE-2014-6276","GHSA-j556-q367-2gw6","PYSEC-2016-33"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1w67-ygzj-fugz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37092?format=json","vulnerability_id":"VCID-9ydc-txfc-pqe6","summary":"In Roundup before 2.5.0, XSS can occur via interaction between URLs and issue tracker templates (devel and responsive).","references":[{"reference_url":"https://www.roundup-tracker.org/docs/security.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.roundup-tracker.org/docs/security.html"},{"reference_url":"https://www.roundup-tracker.org/docs/upgrading.html#cve-2025-53865","reference_id":"","reference_type":"","scores":[],"url":"https://www.roundup-tracker.org/docs/upgrading.html#cve-2025-53865"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/46024?format=json","purl":"pkg:pypi/roundup@2.5.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@2.5.0"}],"aliases":["CVE-2025-53865","PYSEC-2025-69"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9ydc-txfc-pqe6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36840?format=json","vulnerability_id":"VCID-agp7-u68t-abbe","summary":"In Roundup before 2.4.0, classhelpers (_generic.help.html) allow XSS.","references":[{"reference_url":"https://www.roundup-tracker.org/","reference_id":"","reference_type":"","scores":[],"url":"https://www.roundup-tracker.org/"},{"reference_url":"https://www.roundup-tracker.org/docs/security.html#cve-announcements","reference_id":"","reference_type":"","scores":[],"url":"https://www.roundup-tracker.org/docs/security.html#cve-announcements"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42115?format=json","purl":"pkg:pypi/roundup@2.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ydc-txfc-pqe6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@2.4.0"}],"aliases":["CVE-2024-39124","PYSEC-2024-63"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-agp7-u68t-abbe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35344?format=json","vulnerability_id":"VCID-be33-dgsb-nycm","summary":"Roundup 1.6 allows XSS via the URI because frontends/roundup.cgi and roundup/cgi/wsgi_handler.py mishandle 404 errors.","references":[{"reference_url":"https://bugs.python.org/issue36391","reference_id":"","reference_type":"","scores":[],"url":"https://bugs.python.org/issue36391"},{"reference_url":"https://github.com/advisories/GHSA-926q-wxr6-3crq","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-926q-wxr6-3crq"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/roundup/PYSEC-2019-201.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/roundup/PYSEC-2019-201.yaml"},{"reference_url":"https://github.com/python/bugs.python.org/issues/34","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/python/bugs.python.org/issues/34"},{"reference_url":"https://github.com/roundup-tracker/roundup","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/roundup-tracker/roundup"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2019/04/msg00009.html","reference_id":"","reference_type":"","scores":[],"url":"https://lists.debian.org/debian-lts-announce/2019/04/msg00009.html"},{"reference_url":"https://pypi.org/project/roundup/2.0.0alpha0","reference_id":"","reference_type":"","scores":[],"url":"https://pypi.org/project/roundup/2.0.0alpha0"},{"reference_url":"https://www.openwall.com/lists/oss-security/2019/04/05/1","reference_id":"","reference_type":"","scores":[],"url":"https://www.openwall.com/lists/oss-security/2019/04/05/1"},{"reference_url":"http://www.openwall.com/lists/oss-security/2019/04/07/1","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2019/04/07/1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10904","reference_id":"CVE-2019-10904","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10904"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/13284?format=json","purl":"pkg:pypi/roundup@2.0.0a0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ydc-txfc-pqe6"},{"vulnerability":"VCID-agp7-u68t-abbe"},{"vulnerability":"VCID-be33-dgsb-nycm"},{"vulnerability":"VCID-m8r5-mtwf-cbgm"},{"vulnerability":"VCID-yufw-2bru-h7h1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@2.0.0a0"},{"url":"http://public2.vulnerablecode.io/api/packages/13286?format=json","purl":"pkg:pypi/roundup@2.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ydc-txfc-pqe6"},{"vulnerability":"VCID-agp7-u68t-abbe"},{"vulnerability":"VCID-m8r5-mtwf-cbgm"},{"vulnerability":"VCID-yufw-2bru-h7h1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@2.0.0"}],"aliases":["CVE-2019-10904","GHSA-926q-wxr6-3crq","PYSEC-2019-201"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-be33-dgsb-nycm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36841?format=json","vulnerability_id":"VCID-m8r5-mtwf-cbgm","summary":"Roundup before 2.4.0 allows XSS via JavaScript in PDF, XML, and SVG documents.","references":[{"reference_url":"https://www.roundup-tracker.org","reference_id":"","reference_type":"","scores":[],"url":"https://www.roundup-tracker.org"},{"reference_url":"https://www.roundup-tracker.org/docs/security.html#cve-announcements","reference_id":"","reference_type":"","scores":[],"url":"https://www.roundup-tracker.org/docs/security.html#cve-announcements"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42115?format=json","purl":"pkg:pypi/roundup@2.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ydc-txfc-pqe6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@2.4.0"}],"aliases":["CVE-2024-39126","PYSEC-2024-65"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-m8r5-mtwf-cbgm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36842?format=json","vulnerability_id":"VCID-yufw-2bru-h7h1","summary":"Roundup before 2.4.0 allows XSS via a SCRIPT element in an HTTP Referer header.","references":[{"reference_url":"https://www.roundup-tracker.org","reference_id":"","reference_type":"","scores":[],"url":"https://www.roundup-tracker.org"},{"reference_url":"https://www.roundup-tracker.org/docs/security.html#cve-announcements","reference_id":"","reference_type":"","scores":[],"url":"https://www.roundup-tracker.org/docs/security.html#cve-announcements"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42115?format=json","purl":"pkg:pypi/roundup@2.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ydc-txfc-pqe6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@2.4.0"}],"aliases":["CVE-2024-39125","PYSEC-2024-64"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yufw-2bru-h7h1"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/34861?format=json","vulnerability_id":"VCID-7kxe-bm1g-eyhe","summary":"Cross-site scripting (XSS) vulnerability in cgi/client.py in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the @action parameter to support/issue1.","references":[{"reference_url":"http://issues.roundup-tracker.org/issue2550711","reference_id":"","reference_type":"","scores":[],"url":"http://issues.roundup-tracker.org/issue2550711"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=722672","reference_id":"","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=722672"},{"reference_url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/84190","reference_id":"","reference_type":"","scores":[],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/84190"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/roundup/PYSEC-2014-16.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/roundup/PYSEC-2014-16.yaml"},{"reference_url":"https://github.com/roundup-tracker/roundup","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/roundup-tracker/roundup"},{"reference_url":"https://github.com/roundup-tracker/roundup/commit/38193cc7d93567e04dae71cf526427473685d35e","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/roundup-tracker/roundup/commit/38193cc7d93567e04dae71cf526427473685d35e"},{"reference_url":"https://github.com/roundup-tracker/roundup/commit/ea29de37416f5b2126b3249cdd6bf12e5098c646","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/roundup-tracker/roundup/commit/ea29de37416f5b2126b3249cdd6bf12e5098c646"},{"reference_url":"https://pypi.python.org/pypi/roundup/1.4.20","reference_id":"","reference_type":"","scores":[],"url":"https://pypi.python.org/pypi/roundup/1.4.20"},{"reference_url":"http://www.openwall.com/lists/oss-security/2012/11/10/2","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2012/11/10/2"},{"reference_url":"http://www.openwall.com/lists/oss-security/2013/02/13/8","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2013/02/13/8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2012-6131","reference_id":"CVE-2012-6131","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2012-6131"},{"reference_url":"https://github.com/advisories/GHSA-gw2q-cgvq-9g3v","reference_id":"GHSA-gw2q-cgvq-9g3v","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-gw2q-cgvq-9g3v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/7967?format=json","purl":"pkg:pypi/roundup@1.4.20","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1w67-ygzj-fugz"},{"vulnerability":"VCID-9ydc-txfc-pqe6"},{"vulnerability":"VCID-agp7-u68t-abbe"},{"vulnerability":"VCID-be33-dgsb-nycm"},{"vulnerability":"VCID-m8r5-mtwf-cbgm"},{"vulnerability":"VCID-yufw-2bru-h7h1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@1.4.20"}],"aliases":["CVE-2012-6131","GHSA-gw2q-cgvq-9g3v","PYSEC-2014-16"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7kxe-bm1g-eyhe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/34860?format=json","vulnerability_id":"VCID-9qv2-nkkm-53ae","summary":"Cross-site scripting (XSS) vulnerability in the history display in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via a username, related to generating a link.","references":[{"reference_url":"http://issues.roundup-tracker.org/issue2550684","reference_id":"","reference_type":"","scores":[],"url":"http://issues.roundup-tracker.org/issue2550684"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=722672","reference_id":"","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=722672"},{"reference_url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/84189","reference_id":"","reference_type":"","scores":[],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/84189"},{"reference_url":"https://pypi.python.org/pypi/roundup/1.4.20","reference_id":"","reference_type":"","scores":[],"url":"https://pypi.python.org/pypi/roundup/1.4.20"},{"reference_url":"http://www.openwall.com/lists/oss-security/2012/11/10/2","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2012/11/10/2"},{"reference_url":"http://www.openwall.com/lists/oss-security/2013/02/13/8","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2013/02/13/8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/7967?format=json","purl":"pkg:pypi/roundup@1.4.20","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1w67-ygzj-fugz"},{"vulnerability":"VCID-9ydc-txfc-pqe6"},{"vulnerability":"VCID-agp7-u68t-abbe"},{"vulnerability":"VCID-be33-dgsb-nycm"},{"vulnerability":"VCID-m8r5-mtwf-cbgm"},{"vulnerability":"VCID-yufw-2bru-h7h1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@1.4.20"}],"aliases":["CVE-2012-6130","PYSEC-2014-15"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9qv2-nkkm-53ae"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/34859?format=json","vulnerability_id":"VCID-rpbj-pyv7-3kag","summary":"Cross-site scripting (XSS) vulnerability in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the otk parameter.","references":[{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=722672","reference_id":"","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=722672"},{"reference_url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/84191","reference_id":"","reference_type":"","scores":[],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/84191"},{"reference_url":"http://www.openwall.com/lists/oss-security/2012/11/10/2","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2012/11/10/2"},{"reference_url":"http://www.openwall.com/lists/oss-security/2013/02/13/8","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2013/02/13/8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/7967?format=json","purl":"pkg:pypi/roundup@1.4.20","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1w67-ygzj-fugz"},{"vulnerability":"VCID-9ydc-txfc-pqe6"},{"vulnerability":"VCID-agp7-u68t-abbe"},{"vulnerability":"VCID-be33-dgsb-nycm"},{"vulnerability":"VCID-m8r5-mtwf-cbgm"},{"vulnerability":"VCID-yufw-2bru-h7h1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@1.4.20"}],"aliases":["CVE-2012-6132","PYSEC-2014-96"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rpbj-pyv7-3kag"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35503?format=json","vulnerability_id":"VCID-zbqf-gvrf-m3fs","summary":"Multiple cross-site scripting (XSS) vulnerabilities in Roundup before 1.4.20 allow remote attackers to inject arbitrary web script or HTML via the (1) @ok_message or (2) @error_message parameter to issue*.","references":[{"reference_url":"http://issues.roundup-tracker.org/issue2550724","reference_id":"","reference_type":"","scores":[],"url":"http://issues.roundup-tracker.org/issue2550724"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=722672","reference_id":"","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=722672"},{"reference_url":"https://github.com/advisories/GHSA-5jq3-8437-x35p","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-5jq3-8437-x35p"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/roundup/PYSEC-2020-212.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/roundup/PYSEC-2020-212.yaml"},{"reference_url":"https://pypi.python.org/pypi/roundup/1.4.20","reference_id":"","reference_type":"","scores":[],"url":"https://pypi.python.org/pypi/roundup/1.4.20"},{"reference_url":"http://www.openwall.com/lists/oss-security/2012/11/10/2","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2012/11/10/2"},{"reference_url":"http://www.openwall.com/lists/oss-security/2013/02/13/8","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2013/02/13/8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2012-6133","reference_id":"CVE-2012-6133","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2012-6133"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/7967?format=json","purl":"pkg:pypi/roundup@1.4.20","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1w67-ygzj-fugz"},{"vulnerability":"VCID-9ydc-txfc-pqe6"},{"vulnerability":"VCID-agp7-u68t-abbe"},{"vulnerability":"VCID-be33-dgsb-nycm"},{"vulnerability":"VCID-m8r5-mtwf-cbgm"},{"vulnerability":"VCID-yufw-2bru-h7h1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@1.4.20"}],"aliases":["CVE-2012-6133","GHSA-5jq3-8437-x35p","PYSEC-2020-212"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zbqf-gvrf-m3fs"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/roundup@1.4.20"}