PT-2009-5116 · Roundup · Roundup

Vincent Danen

Published

2009-08-11

Updated

2022-05-02

CVE-2009-2737

CVSS v2.0

5.5

Medium

Vector

AV:N/AC:L/Au:S/C:N/I:P/A:P

Name of the Vulnerable Software and Affected Versions Roundup versions 1.2 through 1.2.1 Roundup versions 1.4 through 1.4.6

Description The issue arises from the EditCSVAction function in cgi/actions.py, which does not properly check permissions. This allows remote authenticated users with edit or create privileges for a class to modify arbitrary items within that class. Examples of exploitation include editing all queries, modifying settings, and adding roles to users.

Recommendations For Roundup versions 1.2 through 1.2.1, update to version 1.2.1 or later. For Roundup versions 1.4 through 1.4.6, update to a version later than 1.4.6. As a temporary workaround, consider restricting access to the EditCSVAction function in cgi/actions.py to minimize the risk of exploitation.

Fix

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-264CWE-284

Related Identifiers

CVE-2009-2737

DSA-1754-1

GHSA-9RJ9-5WCV-XGF2

Affected Products

Roundup

PT-2009-5116 · Roundup · Roundup

CVE-2009-2737

Weakness Enumeration

Related Identifiers

Affected Products

References · 13