roundup@0.8.3 vulnerabilities

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Insecure Defaults due to unsafe password handling.

Upgrade roundup to version 1.4.17 or higher.

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Improper Access Control. If the user hasn't permission on a message (notably files and content properties) and is on the nosy list, the content is sent via email.

Upgrade roundup to version 1.4.11 or higher.

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Improper Access Control. A user who didn't have access to a property could deduce its content by crafting a clever search, group or sort query.

Upgrade roundup to version 1.4.17 or higher.

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Privilege Escalation via the own_record function.

Upgrade roundup to version 1.4.11 or higher.

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization.

Upgrade roundup to version 1.5.1 or higher.

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Timing Attack via the verifyLogin function, because it doesn't run a password check when the user doesn't exist, which might expose valid usernames

Upgrade roundup to version 2.1.0b1 or higher.

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Insecure Defaults when it is serving uploaded HTML files content as HTML by default.

Upgrade roundup to version 1.4.7 or higher.

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Improper Access Control due to the usage of the 'Access-Control-Allow-Credentials' header when using REST. Exploiting this vulnerability allows unauthorized third-party websites to use a user's credentials to access information in the tracker that is not publicly available.

Upgrade roundup to version 2.3.0b2 or higher.

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the @ok_message or @error_message parameters.

Upgrade roundup to version 1.4.20 or higher.

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Authorization Bypass. The xml-rpc server in Roundup does not check property permissions, which allows attackers to bypass restrictions and edit or read restricted properties via the list, display, and set methods.

Upgrade roundup to version 1.4.5.1 or higher.

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). Multiple unspecified vulnerabilities in Roundup have unknown impact and attack vectors, some of which may be related to cross-site scripting (XSS).

Upgrade roundup to version 1.4.4 or higher.

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the URI because frontends/roundup.cgi and roundup/cgi/wsgi_handler.py mishandle 404 errors.

Upgrade roundup to version 2.0.0 or higher.

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Highly customisable. schema.py in Roundup before 1.5.1 does not properly limit attributes included in default user permissions, which might allow remote authenticated users to obtain sensitive user information by viewing user details.

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Highly customisable.

Cross-site Scripting (XSS) vulnerability in cgi/client.py in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the @action parameter to support/issue1.

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Highly customisable.

Cross-site Scripting (XSS) vulnerability in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the otk parameter.

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Highly customisable.

Cross-site Scripting (XSS) vulnerability in the history display in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via a username, related to generating a link.

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Highly customisable.

Cross-site Scripting (XSS) vulnerability in cgi/client.py in Roundup before 1.4.14 allows remote attackers to inject arbitrary web script or HTML via the template argument to the /issue program.