Roundup Cross-site Scripting Vulnerability
Roundup before 2.4.0 allows XSS via a SCRIPT element in an HTTP Referer header.
Advisories for Pypi/Roundup package
2024
Roundup Cross-site Scripting Vulnerability
In Roundup before 2.4.0, classhelpers (_generic.help.html) allow XSS.
Roundup Cross-site Scripting Vulnerability
Roundup before 2.4.0 allows XSS via JavaScript in PDF, XML, and SVG documents.
2022
Roundup sensitive data disclosure vulnerability
schema.py in Roundup before 1.5.1 does not properly limit attributes included in default user permissions, which might allow remote authenticated users to obtain sensitive user information by viewing user details.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in Roundup before 1.4.20 allow remote attackers to inject arbitrary web script or HTML via the (1) @ok_message or (2) @error_message parameter to issue*.
2019
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Roundup allows XSS via the URI because frontends/roundup.cgi and roundup/cgi/wsgi_handler.py mishandle errors.