roundup@2.0.0alpha0 vulnerabilities

A simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Highly customisable.

Direct Vulnerabilities

Known vulnerabilities in the roundup package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Cross-site Scripting (XSS)

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the classhelpers (_generic.help.html), due to improper sanitization.

How to fix Cross-site Scripting (XSS)?

Upgrade roundup to version 2.4.0 or higher.

[,2.4.0)
  • M
Cross-site Scripting (XSS)

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via JavaScript in PDF, XML, and SVG documents. An attacker can inject malicious scripts that may be executed in the context of the user's session by embedding them into the affected document types.

How to fix Cross-site Scripting (XSS)?

Upgrade roundup to version 2.4.0 or higher.

[,2.4.0)
  • M
Cross-site Scripting (XSS)

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the HTTP Referer header. An attacker can inject malicious scripts that are executed in the context of the user's browser session.

How to fix Cross-site Scripting (XSS)?

Upgrade roundup to version 2.4.0 or higher.

[,2.4.0)
  • M
Timing Attack

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Timing Attack via the verifyLogin function, because it doesn't run a password check when the user doesn't exist, which might expose valid usernames

How to fix Timing Attack?

Upgrade roundup to version 2.1.0b1 or higher.

[,2.1.0b1)
  • M
Improper Access Control

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Improper Access Control due to the usage of the 'Access-Control-Allow-Credentials' header when using REST. Exploiting this vulnerability allows unauthorized third-party websites to use a user's credentials to access information in the tracker that is not publicly available.

How to fix Improper Access Control?

Upgrade roundup to version 2.3.0b2 or higher.

[,2.3.0b2)
  • M
Cross-site Scripting (XSS)

roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the URI because frontends/roundup.cgi and roundup/cgi/wsgi_handler.py mishandle 404 errors.

How to fix Cross-site Scripting (XSS)?

Upgrade roundup to version 2.0.0 or higher.

[0,2.0.0)