Roundup Security Vulnerabilities and Issues — Roundup CVE List

Lucene search

Roundup-trackerRoundup

14 matches found

CVE•added 2020/01/30 9:15 p.m.•86 views

CVE-2012-6133

Multiple cross-site scripting (XSS) vulnerabilities in Roundup before 1.4.20 allow remote attackers to inject arbitrary web script or HTML via the (1) @ok_message or (2) @error_message parameter to issue*.

6.1CVSS6AI score0.00479EPSS

CVE•added 2019/04/06 8:29 p.m.•65 views

CVE-2019-10904

Roundup 1.6 allows XSS via the URI because frontends/roundup.cgi and roundup/cgi/wsgi_handler.py mishandle 404 errors.

6.1CVSS5.8AI score0.00752EPSS

CVE•added 2008/03/24 10:44 p.m.•60 views

CVE-2008-1474

Multiple unspecified vulnerabilities in Roundup before 1.4.4 have unknown impact and attack vectors, some of which may be related to cross-site scripting (XSS).

4.3CVSS5.9AI score0.01035EPSS

CVE•added 2016/04/13 2:59 p.m.•53 views

CVE-2014-6276

schema.py in Roundup before 1.5.1 does not properly limit attributes included in default user permissions, which might allow remote authenticated users to obtain sensitive user information by viewing user details.

4.3CVSS4AI score0.0013EPSS

CVE•added 2014/04/11 3:55 p.m.•49 views

CVE-2012-6131

Cross-site scripting (XSS) vulnerability in cgi/client.py in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the @action parameter to support/issue1.

4.3CVSS5.9AI score0.00407EPSS

CVE•added 2024/07/17 8:15 p.m.•48 views

CVE-2024-39125

Roundup before 2.4.0 allows XSS via a SCRIPT element in an HTTP Referer header.

5.4CVSS5.9AI score0.0016EPSS

CVE•added 2010/09/24 7:0 p.m.•47 views

CVE-2010-2491

Cross-site scripting (XSS) vulnerability in cgi/client.py in Roundup before 1.4.14 allows remote attackers to inject arbitrary web script or HTML via the template argument to the /issue program.

4.3CVSS5.5AI score0.0061EPSS

CVE•added 2014/04/11 3:55 p.m.•43 views

CVE-2012-6130

Cross-site scripting (XSS) vulnerability in the history display in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via a username, related to generating a link.

4.3CVSS5.9AI score0.00407EPSS

CVE•added 2008/03/24 10:44 p.m.•42 views

CVE-2008-1475

The xml-rpc server in Roundup 1.4.4 does not check property permissions, which allows attackers to bypass restrictions and edit or read restricted properties via the (1) list, (2) display, and (3) set methods.

6.4CVSS6.1AI score0.0047EPSS

CVE•added 2014/04/10 8:29 p.m.•39 views

CVE-2012-6132

Cross-site scripting (XSS) vulnerability in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the otk parameter.

4.3CVSS5.9AI score0.00256EPSS

CVE•added 2024/07/17 8:15 p.m.•39 views

CVE-2024-39126

Roundup before 2.4.0 allows XSS via JavaScript in PDF, XML, and SVG documents.

5.4CVSS5.9AI score0.00158EPSS

CVE•added 2005/02/13 5:0 a.m.•34 views

CVE-2004-1444

Directory traversal vulnerability in Roundup 0.6.4 and earlier allows remote attackers to view arbitrary files via .. (dot dot) sequences in an @@ command in an HTTP GET request.

5CVSS6.8AI score0.16535EPSS

CVE•added 2024/07/17 8:15 p.m.•33 views

CVE-2024-39124

In Roundup before 2.4.0, classhelpers (_generic.help.html) allow XSS.

6.1CVSS7AI score0.0016EPSS

CVE•added 2025/07/13 8:15 p.m.•6 views

CVE-2025-53865

In Roundup before 2.5.0, XSS can occur via interaction between URLs and issue tracker templates (devel and responsive).

6.4CVSS5.9AI score0.00032EPSS