Roundup
CVE-2014-6276
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
schema.py in Roundup before 1.5.1 does not properly limit attributes included in default user permissions, which might allow remote authenticated users to obtain sensitive user information by viewing user details.
AnalysisAI
schema.py in Roundup before 1.5.1 does not properly limit attributes included in default user permissions, which might allow remote authenticated users to obtain sensitive user information by viewing. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.
Technical ContextAI
This vulnerability is classified under CWE-264. schema.py in Roundup before 1.5.1 does not properly limit attributes included in default user permissions, which might allow remote authenticated users to obtain sensitive user information by viewing user details. Affected products include: Roundup-Tracker Roundup, Debian Debian Linux. Version information: before 1.5.1.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Roundup 1.6 allows XSS via the URI because frontends/roundup.cgi and roundup/cgi/wsgi_handler.py mishandle 404 errors. R
Roundup before 2.4.0 allows XSS via JavaScript in PDF, XML, and SVG documents. Rated medium severity (CVSS 5.4), this vu
Roundup before 2.4.0 allows XSS via a SCRIPT element in an HTTP Referer header. Rated medium severity (CVSS 5.4), this v
In Roundup before 2.4.0, classhelpers (_generic.help.html) allow XSS. Rated medium severity (CVSS 5.4), this vulnerabili
Cross-site scripting (XSS) vulnerability in cgi/client.py in Roundup before 1.4.20 allows remote attackers to inject arb
Cross-site scripting (XSS) vulnerability in the history display in Roundup before 1.4.20 allows remote attackers to inje
Cross-site scripting (XSS) vulnerability in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today