Candidate: CVE-2009-2737
PublicDate: 2009-08-11 10:30:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2737
 http://roundup.hg.sourceforge.net/hgweb/roundup/roundup/file/24bf81a617dd/CHANGES.txt
Description:
 The EditCSVAction function in cgi/actions.py in Roundup 1.2 before 1.2.1,
 1.4 through 1.4.6, and possibly other versions does not properly check
 permissions, which allows remote authenticated users with edit or create
 privileges for a class to modify arbitrary items within that class, as
 demonstrated by editing all queries, modifying settings, and adding roles
 to users.
Ubuntu-Description:
Notes:
Bugs:
 https://bugzilla.redhat.com/show_bug.cgi?id=489355
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=518768
Priority: medium
Discovered-by:
Assigned-to:
CVSS: 

Patches_roundup:
upstream_roundup: released (1.4.8)
dapper_roundup: ignored (reached end-of-life)
hardy_roundup: ignored (reached end-of-life)
intrepid_roundup: needs-triage (reached end-of-life)
jaunty_roundup: ignored (reached end-of-life)
karmic_roundup: ignored (reached end-of-life)
lucid_roundup: not-affected (1.4.9-0)
maverick_roundup: not-affected (1.4.9-0)
natty_roundup: not-affected (1.4.9-0)
oneiric_roundup: not-affected (1.4.9-0)
devel_roundup: not-affected (1.4.9-0)