roundup@1.4.15 vulnerabilities

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via JavaScript in PDF, XML, and SVG documents. An attacker can inject malicious scripts that may be executed in the context of the user's session by embedding them into the affected document types.

Upgrade roundup to version 2.4.0 or higher.

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the HTTP Referer header. An attacker can inject malicious scripts that are executed in the context of the user's browser session.

Upgrade roundup to version 2.4.0 or higher.

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Insecure Defaults due to unsafe password handling.

Upgrade roundup to version 1.4.17 or higher.

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Improper Access Control. A user who didn't have access to a property could deduce its content by crafting a clever search, group or sort query.

Upgrade roundup to version 1.4.17 or higher.

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization.

Upgrade roundup to version 1.5.1 or higher.

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Timing Attack via the verifyLogin function, because it doesn't run a password check when the user doesn't exist, which might expose valid usernames

Upgrade roundup to version 2.1.0b1 or higher.

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Improper Access Control due to the usage of the 'Access-Control-Allow-Credentials' header when using REST. Exploiting this vulnerability allows unauthorized third-party websites to use a user's credentials to access information in the tracker that is not publicly available.

Upgrade roundup to version 2.3.0b2 or higher.

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the @ok_message or @error_message parameters.

Upgrade roundup to version 1.4.20 or higher.

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the URI because frontends/roundup.cgi and roundup/cgi/wsgi_handler.py mishandle 404 errors.

Upgrade roundup to version 2.0.0 or higher.

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Highly customisable. schema.py in Roundup before 1.5.1 does not properly limit attributes included in default user permissions, which might allow remote authenticated users to obtain sensitive user information by viewing user details.

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Highly customisable.

Cross-site Scripting (XSS) vulnerability in cgi/client.py in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the @action parameter to support/issue1.

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Highly customisable.

Cross-site Scripting (XSS) vulnerability in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the otk parameter.