Moderate severityNVD Advisory· Published Apr 11, 2014· Updated May 6, 2026
CVE-2012-6131
CVE-2012-6131
Description
Cross-site scripting (XSS) vulnerability in cgi/client.py in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the @action parameter to support/issue1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
roundupPyPI | < 1.4.20 | 1.4.20 |
Patches
2ea29de37416fissue2550711 Fix XSS vulnerability in @action parameter.
3 files changed · +5 −2
CHANGES.txt+3 −1 modified@@ -55,8 +55,10 @@ Fixed: backported version of my proposed changes to email.header.decode_header in http://bugs.python.org/issue1079 (Ralf) -- issue2550711 Fix XSS vulnerability when username contains HTML code, +- issue2550684 Fix XSS vulnerability when username contains HTML code, thanks to Thomas Arendsen Hein for reporting and patch. +- issue2550711 Fix XSS vulnerability in @action parameter, + thanks to "om" for reporting. 2011-07-15: 1.4.19
doc/acknowledgements.txt+1 −0 modified@@ -104,6 +104,7 @@ Stefan Niederhauser, Truls E. Næss, Bryce L Nordgren, Patrick Ohly, +"om", Luke Opperman, Eddie Parker, Will Partain,
roundup/cgi/client.py+1 −1 modified@@ -1171,7 +1171,7 @@ def get_action_class(self, action_name): if name == action_name: break else: - raise ValueError('No such action "%s"'%action_name) + raise ValueError('No such action "%s"'%cgi.escape(action_name)) return action_klass def _socket_op(self, call, *args, **kwargs):
38193cc7d935issue2550711 Fix XSS vulnerability when username contains HTML code.
2 files changed · +3 −1
CHANGES.txt+2 −0 modified@@ -55,6 +55,8 @@ Fixed: backported version of my proposed changes to email.header.decode_header in http://bugs.python.org/issue1079 (Ralf) +- issue2550711 Fix XSS vulnerability when username contains HTML code, + thanks to Thomas Arendsen Hein for reporting and patch. 2011-07-15: 1.4.19
roundup/cgi/templating.py+1 −1 modified@@ -1141,7 +1141,7 @@ def history(self, direction='descending', dre=re.compile('^\d+$'), if dre.match(user): user = self._db.user.get(user, 'username') l.append('<tr><td>%s</td><td>%s</td><td>%s</td><td>%s</td></tr>'%( - date_s, user, self._(action), arg_s)) + date_s, cgi.escape(user), self._(action), arg_s)) if comments: l.append(self._( '<tr><td colspan=4><strong>Note:</strong></td></tr>'))
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- pypi.python.org/pypi/roundup/1.4.20nvdPatchWEB
- github.com/advisories/GHSA-gw2q-cgvq-9g3vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2012-6131ghsaADVISORY
- issues.roundup-tracker.org/issue2550711nvdWEB
- www.openwall.com/lists/oss-security/2012/11/10/2nvdWEB
- www.openwall.com/lists/oss-security/2013/02/13/8nvdWEB
- bugzilla.redhat.com/show_bug.cginvdWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/84190nvdWEB
- github.com/pypa/advisory-database/tree/main/vulns/roundup/PYSEC-2014-16.yamlghsaWEB
- github.com/roundup-tracker/roundup/commit/38193cc7d93567e04dae71cf526427473685d35eghsaWEB
- github.com/roundup-tracker/roundup/commit/ea29de37416f5b2126b3249cdd6bf12e5098c646ghsaWEB
News mentions
0No linked articles in our index yet.