Thomas Arendsen Hein

**Nome do software vulnerável e versões afetadas: Versões do Roundup anteriores à 1.4.20 Descrição: A vulnerabilidade permite que invasores remotos injetem scripts da Web ou HTML arbitrários por meio dos parâmetros `@ok message` ou `@error message` na função issue*. Isso permite que os invasores realizem ataques de cross-site scripting (XSS). Recomendações: Para versões anteriores à 1.4.20, atualize para a versão 1.4.20 ou posterior para resolver o problema. Como solução temporária, considere restringir o acesso aos parâmetros `@ok message` e `@error message` no endpoint issue* até que um patch esteja disponível. Evite usar os parâmetros `@ok message` e `@error message` no endpoint afetado até que o problema seja resolvido.

**Name of the Vulnerable Software and Affected Versions** Roundup versions prior to 1.4.20 **Description** A cross-site scripting (XSS) issue exists in the history display of Roundup, allowing remote attackers to inject arbitrary web script or HTML via a `username`. This occurs when generating a link. **Recommendations** For versions prior to 1.4.20, update to version 1.4.20 or later to resolve the issue. As a temporary workaround, consider restricting user input for `username` fields to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Roundup versions prior to 1.4.20 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the `@action` parameter to the "support/issue1" endpoint. This enables attackers to perform cross-site scripting (XSS) attacks. **Recommendations** For versions prior to 1.4.20, update to version 1.4.20 or later to resolve the issue. As a temporary workaround, consider restricting access to the `support/issue1` endpoint or disabling the `@action` parameter until a patch is applied.