The xml-rpc server in Roundup 1.4.4 does not check property permissions, which allows attackers to bypass restrictions and edit or read restricted properties via the (1) list, (2) display, and (3) set methods.
secunia.com/advisories/29336
secunia.com/advisories/29375
secunia.com/advisories/30274
secunia.com/advisories/32805
security.gentoo.org/glsa/glsa-200805-21.xml
sourceforge.net/tracker/index.php?func=detail&aid=1907211&group_id=31577&atid=402788
www.securityfocus.com/bid/28238
www.vupen.com/english/advisories/2008/0891
bugzilla.redhat.com/show_bug.cgi?id=436546
exchange.xforce.ibmcloud.com/vulnerabilities/41240
github.com/roundup-tracker/roundup/commit/c00b7e5801f8baa246fa76b4aad5287882310189
nvd.nist.gov/vuln/detail/CVE-2008-1475
www.redhat.com/archives/fedora-package-announce/2008-March/msg00264.html
www.redhat.com/archives/fedora-package-announce/2008-March/msg00375.html
www.redhat.com/archives/fedora-package-announce/2008-November/msg00452.html
www.redhat.com/archives/fedora-package-announce/2008-November/msg00478.html