VYPR
Moderate severityNVD Advisory· Published Aug 11, 2009· Updated Jun 16, 2026

CVE-2009-2737

CVE-2009-2737

Description

The EditCSVAction function in cgi/actions.py in Roundup 1.2 before 1.2.1, 1.4 through 1.4.6, and possibly other versions does not properly check permissions, which allows remote authenticated users with edit or create privileges for a class to modify arbitrary items within that class, as demonstrated by editing all queries, modifying settings, and adding roles to users.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
RoundupPyPI
>= 1.2, < 1.2.11.2.1
RoundupPyPI
>= 1.4, < 1.4.71.4.7

Affected products

9
  • cpe:2.3:a:toni_mueller:roundup:1.2.0:*:*:*:*:*:*:*+ 7 more
    • cpe:2.3:a:toni_mueller:roundup:1.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:toni_mueller:roundup:1.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:toni_mueller:roundup:1.4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:toni_mueller:roundup:1.4.2:*:*:*:*:*:*:*
    • cpe:2.3:a:toni_mueller:roundup:1.4.3:*:*:*:*:*:*:*
    • cpe:2.3:a:toni_mueller:roundup:1.4.4:*:*:*:*:*:*:*
    • cpe:2.3:a:toni_mueller:roundup:1.4.5:*:*:*:*:*:*:*
    • cpe:2.3:a:toni_mueller:roundup:1.4.6:*:*:*:*:*:*:*
  • ghsa-coords
    Range: >= 1.2, < 1.2.1

Patches

Vulnerability mechanics

References

13

News mentions

0

No linked articles in our index yet.