roundup 0.6.11 vulnerabilities

Known vulnerabilities in the roundup package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the `classhelpers` (_generic.help.html), due to improper sanitization. How to fix Cross-site Scripting (XSS)? Upgrade `roundup` to version 2.4.0 or higher.	[,2.4.0)
M Cross-site Scripting (XSS) roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via JavaScript in PDF, XML, and SVG documents. An attacker can inject malicious scripts that may be executed in the context of the user's session by embedding them into the affected document types. How to fix Cross-site Scripting (XSS)? Upgrade `roundup` to version 2.4.0 or higher.	[,2.4.0)
M Cross-site Scripting (XSS) roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the HTTP `Referer` header. An attacker can inject malicious scripts that are executed in the context of the user's browser session. How to fix Cross-site Scripting (XSS)? Upgrade `roundup` to version 2.4.0 or higher.	[,2.4.0)
H Path Traversal roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Affected versions of this package are vulnerable to Path Traversal through the `@@` command in an HTTP GET request. An attacker can access and read arbitrary files by manipulating the path with `..` sequences. Note: This vulnerability was fixed in version 0.7.3 How to fix Path Traversal? Upgrade `roundup` to version 0.7.12 or higher.	[,0.7.12)
M Insecure Defaults roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Affected versions of this package are vulnerable to Insecure Defaults due to unsafe password handling. How to fix Insecure Defaults? Upgrade `roundup` to version 1.4.17 or higher.	[,1.4.17)
M Improper Access Control roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Affected versions of this package are vulnerable to Improper Access Control. If the user hasn't permission on a message (notably files and content properties) and is on the nosy list, the content is sent via email. How to fix Improper Access Control? Upgrade `roundup` to version 1.4.11 or higher.	[,1.4.11)
M Improper Access Control roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Affected versions of this package are vulnerable to Improper Access Control. A user who didn't have access to a property could deduce its content by crafting a clever search, group or sort query. How to fix Improper Access Control? Upgrade `roundup` to version 1.4.17 or higher.	[,1.4.17)
H Privilege Escalation roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Affected versions of this package are vulnerable to Privilege Escalation via the `own_record` function. How to fix Privilege Escalation? Upgrade `roundup` to version 1.4.11 or higher.	[,1.4.11)
M Cross-site Scripting (XSS) roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization. How to fix Cross-site Scripting (XSS)? Upgrade `roundup` to version 1.5.1 or higher.	[,1.5.1)
M Timing Attack roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Affected versions of this package are vulnerable to Timing Attack via the `verifyLogin` function, because it doesn't run a password check when the user doesn't exist, which might expose valid usernames How to fix Timing Attack? Upgrade `roundup` to version 2.1.0b1 or higher.	[,2.1.0b1)
M Insecure Defaults roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Affected versions of this package are vulnerable to Insecure Defaults when it is serving uploaded HTML files content as HTML by default. How to fix Insecure Defaults? Upgrade `roundup` to version 1.4.7 or higher.	[,1.4.7)
M Improper Access Control roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Affected versions of this package are vulnerable to Improper Access Control due to the usage of the 'Access-Control-Allow-Credentials' header when using REST. Exploiting this vulnerability allows unauthorized third-party websites to use a user's credentials to access information in the tracker that is not publicly available. How to fix Improper Access Control? Upgrade `roundup` to version 2.3.0b2 or higher.	[,2.3.0b2)
M Cross-site Scripting (XSS) roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `@ok_message` or `@error_message` parameters. How to fix Cross-site Scripting (XSS)? Upgrade `roundup` to version 1.4.20 or higher.	[,1.4.20)
M Authorization Bypass roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Affected versions of this package are vulnerable to Authorization Bypass. The xml-rpc server in Roundup does not check property permissions, which allows attackers to bypass restrictions and edit or read restricted properties via the `list`, `display`, and `set` methods. How to fix Authorization Bypass? Upgrade `roundup` to version 1.4.5.1 or higher.	[,1.4.5.1)
C Cross-site Scripting (XSS) roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). Multiple unspecified vulnerabilities in Roundup have unknown impact and attack vectors, some of which may be related to cross-site scripting (XSS). How to fix Cross-site Scripting (XSS)? Upgrade `roundup` to version 1.4.4 or higher.	[,1.4.4)
M Cross-site Scripting (XSS) roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the URI because `frontends/roundup.cgi` and `roundup/cgi/wsgi_handler.py` mishandle 404 errors. How to fix Cross-site Scripting (XSS)? Upgrade `roundup` to version 2.0.0 or higher.	[0,2.0.0)
M Information Exposure `roundup` is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Highly customisable. schema.py in Roundup before 1.5.1 does not properly limit attributes included in default user permissions, which might allow remote authenticated users to obtain sensitive user information by viewing user details.	[,1.5.1)
M Cross-site Scripting (XSS) `roundup` is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Highly customisable. Cross-site Scripting (XSS) vulnerability in cgi/client.py in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the @action parameter to support/issue1.	[,1.4.20)
M Cross-site Scripting (XSS) `roundup` is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Highly customisable. Cross-site Scripting (XSS) vulnerability in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the otk parameter.	[,1.4.20)
M Cross-site Scripting (XSS) `roundup` is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Highly customisable. Cross-site Scripting (XSS) vulnerability in the history display in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via a username, related to generating a link.	[,1.4.20)
M Cross-site Scripting (XSS) `roundup` is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Highly customisable. Cross-site Scripting (XSS) vulnerability in cgi/client.py in Roundup before 1.4.14 allows remote attackers to inject arbitrary web script or HTML via the template argument to the /issue program.	[,1.4.14)

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the classhelpers (_generic.help.html), due to improper sanitization.

How to fix Cross-site Scripting (XSS)?

Upgrade roundup to version 2.4.0 or higher.

[,2.4.0)

Cross-site Scripting (XSS)

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via JavaScript in PDF, XML, and SVG documents. An attacker can inject malicious scripts that may be executed in the context of the user's session by embedding them into the affected document types.

How to fix Cross-site Scripting (XSS)?

Upgrade roundup to version 2.4.0 or higher.

[,2.4.0)

Cross-site Scripting (XSS)

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the HTTP Referer header. An attacker can inject malicious scripts that are executed in the context of the user's browser session.

How to fix Cross-site Scripting (XSS)?

Upgrade roundup to version 2.4.0 or higher.

[,2.4.0)

Path Traversal

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Path Traversal through the @@ command in an HTTP GET request. An attacker can access and read arbitrary files by manipulating the path with .. sequences.

Note: This vulnerability was fixed in version 0.7.3

How to fix Path Traversal?

Upgrade roundup to version 0.7.12 or higher.

[,0.7.12)

Insecure Defaults

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Insecure Defaults due to unsafe password handling.

How to fix Insecure Defaults?

Upgrade roundup to version 1.4.17 or higher.

[,1.4.17)

Improper Access Control

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Improper Access Control. If the user hasn't permission on a message (notably files and content properties) and is on the nosy list, the content is sent via email.

How to fix Improper Access Control?

Upgrade roundup to version 1.4.11 or higher.

[,1.4.11)

Improper Access Control

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Improper Access Control. A user who didn't have access to a property could deduce its content by crafting a clever search, group or sort query.

How to fix Improper Access Control?

Upgrade roundup to version 1.4.17 or higher.

[,1.4.17)

Privilege Escalation

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Privilege Escalation via the own_record function.

How to fix Privilege Escalation?

Upgrade roundup to version 1.4.11 or higher.

[,1.4.11)

Cross-site Scripting (XSS)

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization.

How to fix Cross-site Scripting (XSS)?

Upgrade roundup to version 1.5.1 or higher.

[,1.5.1)

Timing Attack

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Timing Attack via the verifyLogin function, because it doesn't run a password check when the user doesn't exist, which might expose valid usernames

How to fix Timing Attack?

Upgrade roundup to version 2.1.0b1 or higher.

[,2.1.0b1)

Insecure Defaults

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Insecure Defaults when it is serving uploaded HTML files content as HTML by default.

How to fix Insecure Defaults?

Upgrade roundup to version 1.4.7 or higher.

[,1.4.7)

Improper Access Control

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Improper Access Control due to the usage of the 'Access-Control-Allow-Credentials' header when using REST. Exploiting this vulnerability allows unauthorized third-party websites to use a user's credentials to access information in the tracker that is not publicly available.

How to fix Improper Access Control?

Upgrade roundup to version 2.3.0b2 or higher.

[,2.3.0b2)

Cross-site Scripting (XSS)

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the @ok_message or @error_message parameters.

How to fix Cross-site Scripting (XSS)?

Upgrade roundup to version 1.4.20 or higher.

[,1.4.20)

Authorization Bypass

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Authorization Bypass. The xml-rpc server in Roundup does not check property permissions, which allows attackers to bypass restrictions and edit or read restricted properties via the list, display, and set methods.

How to fix Authorization Bypass?

Upgrade roundup to version 1.4.5.1 or higher.

[,1.4.5.1)

Cross-site Scripting (XSS)

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). Multiple unspecified vulnerabilities in Roundup have unknown impact and attack vectors, some of which may be related to cross-site scripting (XSS).

How to fix Cross-site Scripting (XSS)?

Upgrade roundup to version 1.4.4 or higher.

[,1.4.4)

Cross-site Scripting (XSS)

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the URI because frontends/roundup.cgi and roundup/cgi/wsgi_handler.py mishandle 404 errors.

How to fix Cross-site Scripting (XSS)?

Upgrade roundup to version 2.0.0 or higher.

[0,2.0.0)

Information Exposure

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Highly customisable. schema.py in Roundup before 1.5.1 does not properly limit attributes included in default user permissions, which might allow remote authenticated users to obtain sensitive user information by viewing user details.

[,1.5.1)

Cross-site Scripting (XSS)

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Highly customisable.

Cross-site Scripting (XSS) vulnerability in cgi/client.py in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the @action parameter to support/issue1.

[,1.4.20)

Cross-site Scripting (XSS)

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Highly customisable.

Cross-site Scripting (XSS) vulnerability in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the otk parameter.

[,1.4.20)

Cross-site Scripting (XSS)

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Highly customisable.

Cross-site Scripting (XSS) vulnerability in the history display in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via a username, related to generating a link.

[,1.4.20)

Cross-site Scripting (XSS)

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Highly customisable.

Cross-site Scripting (XSS) vulnerability in cgi/client.py in Roundup before 1.4.14 allows remote attackers to inject arbitrary web script or HTML via the template argument to the /issue program.

[,1.4.14)

roundup@0.6.11 vulnerabilities

A simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Highly customisable.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?