CVE-2009-2737

Name of the Vulnerable Software and Affected Versions Roundup versions 1.2 through 1.2.1 Roundup versions 1.4 through 1.4.6

Description The issue arises from the EditCSVAction function in cgi/actions.py, which does not properly check permissions. This allows remote authenticated users with edit or create privileges for a class to modify arbitrary items within that class. Examples of exploitation include editing all queries, modifying settings, and adding roles to users.

Recommendations For Roundup versions 1.2 through 1.2.1, update to version 1.2.1 or later. For Roundup versions 1.4 through 1.4.6, update to a version later than 1.4.6. As a temporary workaround, consider restricting access to the EditCSVAction function in cgi/actions.py to minimize the risk of exploitation.