cbcvebase.
CVE-2009-2737
published 2009-08-11

CVE-2009-2737: The EditCSVAction function in cgi/actions.py in Roundup 1.2 before 1.2.1, 1.4 through 1.4.6, and possibly other versions does not properly check permissions…

PriorityP428medium5.5CVSS 2.0
AVNACLAuSCNIPAP
EPSS
2.32%
81.3th percentile
The EditCSVAction function in cgi/actions.py in Roundup 1.2 before 1.2.1, 1.4 through 1.4.6, and possibly other versions does not properly check permissions, which allows remote authenticated users with edit or create privileges for a class to modify arbitrary items within that class, as demonstrated by editing all queries, modifying settings, and adding roles to users.

Affected

10 ranges
VendorProductVersion rangeFixed in
roundup-trackerroundup>= 1.2 < 1.2.11.2.1
roundup-trackerroundup>= 1.4 < 1.4.71.4.7
toni_muellerroundup
toni_muellerroundup
toni_muellerroundup
toni_muellerroundup
toni_muellerroundup
toni_muellerroundup
toni_muellerroundup
toni_muellerroundup

CVSS provenance

nvdv2.05.5MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:P
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.