VYPR
← All advisories
Moderate severityNVD Advisory· Published Aug 11, 2009· Updated Apr 23, 2026

CVE-2009-2737

CVE-2009-2737

Description

The EditCSVAction function in cgi/actions.py in Roundup 1.2 before 1.2.1, 1.4 through 1.4.6, and possibly other versions does not properly check permissions, which allows remote authenticated users with edit or create privileges for a class to modify arbitrary items within that class, as demonstrated by editing all queries, modifying settings, and adding roles to users.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
RoundupPyPI
>= 1.2, < 1.2.11.2.1
RoundupPyPI
>= 1.4, < 1.4.71.4.7

Affected products

9
  • Toni Mueller/Roundup8 versions
    cpe:2.3:a:toni_mueller:roundup:1.2.0:*:*:*:*:*:*:*+ 7 more
    • cpe:2.3:a:toni_mueller:roundup:1.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:toni_mueller:roundup:1.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:toni_mueller:roundup:1.4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:toni_mueller:roundup:1.4.2:*:*:*:*:*:*:*
    • cpe:2.3:a:toni_mueller:roundup:1.4.3:*:*:*:*:*:*:*
    • cpe:2.3:a:toni_mueller:roundup:1.4.4:*:*:*:*:*:*:*
    • cpe:2.3:a:toni_mueller:roundup:1.4.5:*:*:*:*:*:*:*
    • cpe:2.3:a:toni_mueller:roundup:1.4.6:*:*:*:*:*:*:*
  • ghsa-coords
    pkg:pypi/roundup
    Range: >= 1.2, < 1.2.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

13

News mentions

0

No linked articles in our index yet.