A vulnerability has been identified in Roundup, which can be exploited by malicious people to conduct Cross-Site Scripting attacks against other users.
The vulnerability is caused due to missing validation of input passed through CGI variables in "client.py". This can be exploited by a malicious person to include arbitrary script code, which can be executed in another user's browser session when viewed.
Successful exploitation can result in disclosure of various information (eg. cookie-based authentication information) associated with the site running Roundup or inclusion of malicious content, which the user thinks is part of the real website.
The vulnerability has been confirmed in version 0.6.0b3. However, prior versions may also be affected.
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to firstname.lastname@example.org