Roundup Cross-site Scripting Vulnerability
Roundup before 2.4.0 allows XSS via a SCRIPT element in an HTTP Referer header.
Roundup before 2.4.0 allows XSS via a SCRIPT element in an HTTP Referer header.
In Roundup before 2.4.0, classhelpers (_generic.help.html) allow XSS.
Roundup before 2.4.0 allows XSS via JavaScript in PDF, XML, and SVG documents.
schema.py in Roundup before 1.5.1 does not properly limit attributes included in default user permissions, which might allow remote authenticated users to obtain sensitive user information by viewing user details.
Multiple cross-site scripting (XSS) vulnerabilities in Roundup before 1.4.20 allow remote attackers to inject arbitrary web script or HTML via the (1) @ok_message or (2) @error_message parameter to issue*.
Roundup allows XSS via the URI because frontends/roundup.cgi and roundup/cgi/wsgi_handler.py mishandle errors.