CVE-2009-2737
published 2009-08-11CVE-2009-2737: The EditCSVAction function in cgi/actions.py in Roundup 1.2 before 1.2.1, 1.4 through 1.4.6, and possibly other versions does not properly check permissions…
PriorityP428medium5.5CVSS 2.0
AVNACLAuSCNIPAP
EPSS
2.32%
81.3th percentile
The EditCSVAction function in cgi/actions.py in Roundup 1.2 before 1.2.1, 1.4 through 1.4.6, and possibly other versions does not properly check permissions, which allows remote authenticated users with edit or create privileges for a class to modify arbitrary items within that class, as demonstrated by editing all queries, modifying settings, and adding roles to users.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| roundup-tracker | roundup | >= 1.2 < 1.2.1 | 1.2.1 |
| roundup-tracker | roundup | >= 1.4 < 1.4.7 | 1.4.7 |
| toni_mueller | roundup | — | — |
| toni_mueller | roundup | — | — |
| toni_mueller | roundup | — | — |
| toni_mueller | roundup | — | — |
| toni_mueller | roundup | — | — |
| toni_mueller | roundup | — | — |
| toni_mueller | roundup | — | — |
| toni_mueller | roundup | — | — |
CVSS provenance
nvdv2.05.5MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:P
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Roundup Improper Access Control
ghsa·2022-05-02
CVE-2009-2737 [MEDIUM] CWE-284 Roundup Improper Access Control
Roundup Improper Access Control
The EditCSVAction function in `cgi/actions.py` in Roundup 1.2 before 1.2.1, 1.4 through 1.4.6, and possibly other versions does not properly check permissions, which allows remote authenticated users with edit or create privileges for a class to modify arbitrary items within that class, as demonstrated by editing all queries, modifying settings, and adding roles to users.
OSV
Roundup Improper Access Control
osv·2022-05-02
CVE-2009-2737 [MEDIUM] Roundup Improper Access Control
Roundup Improper Access Control
The EditCSVAction function in `cgi/actions.py` in Roundup 1.2 before 1.2.1, 1.4 through 1.4.6, and possibly other versions does not properly check permissions, which allows remote authenticated users with edit or create privileges for a class to modify arbitrary items within that class, as demonstrated by editing all queries, modifying settings, and adding roles to users.
Red Hat
roundup: privilege escalation in EditCSVAction
vendor_redhat·2009-02-26·CVSS 5.5
CVE-2009-2737 [MEDIUM] roundup: privilege escalation in EditCSVAction
roundup: privilege escalation in EditCSVAction
The EditCSVAction function in cgi/actions.py in Roundup 1.2 before 1.2.1, 1.4 through 1.4.6, and possibly other versions does not properly check permissions, which allows remote authenticated users with edit or create privileges for a class to modify arbitrary items within that class, as demonstrated by editing all queries, modifying settings, and adding roles to users.
No detection rules found.
No public exploits indexed.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=518768http://issues.roundup-tracker.org/issue2550521http://secunia.com/advisories/34192http://www.debian.org/security/2009/dsa-1754http://www.osvdb.org/56368http://www.securityfocus.com/bid/34059https://bugzilla.redhat.com/show_bug.cgi?id=489355https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00429.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-March/msg00439.htmlhttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=518768http://issues.roundup-tracker.org/issue2550521http://secunia.com/advisories/34192http://www.debian.org/security/2009/dsa-1754http://www.osvdb.org/56368http://www.securityfocus.com/bid/34059https://bugzilla.redhat.com/show_bug.cgi?id=489355https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00429.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-March/msg00439.html
2009-08-11
Published