Roundup
CVE-2024-39124
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
In Roundup before 2.4.0, classhelpers (_generic.help.html) allow XSS.
AnalysisAI
In Roundup before 2.4.0, classhelpers (_generic.help.html) allow XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. In Roundup before 2.4.0, classhelpers (_generic.help.html) allow XSS. Affected products include: Roundup-Tracker Roundup. Version information: before 2.4.0.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
Roundup 1.6 allows XSS via the URI because frontends/roundup.cgi and roundup/cgi/wsgi_handler.py mishandle 404 errors. R
Roundup before 2.4.0 allows XSS via JavaScript in PDF, XML, and SVG documents. Rated medium severity (CVSS 5.4), this vu
Roundup before 2.4.0 allows XSS via a SCRIPT element in an HTTP Referer header. Rated medium severity (CVSS 5.4), this v
Cross-site scripting (XSS) vulnerability in cgi/client.py in Roundup before 1.4.20 allows remote attackers to inject arb
Cross-site scripting (XSS) vulnerability in the history display in Roundup before 1.4.20 allows remote attackers to inje
Cross-site scripting (XSS) vulnerability in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script
schema.py in Roundup before 1.5.1 does not properly limit attributes included in default user permissions, which might a
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today