NVD

Id
49970  
Name
CVE-2009-2737  
Description
The EditCSVAction function in cgi/actions.py in Roundup 1.2 before 1.2.1, 1.4 through 1.4.6, and possibly other versions does not properly check permissions, which allows remote authenticated users with edit or create privileges for a class to modify arbitrary items within that class, as demonstrated by editing all queries, modifying settings, and adding roles to users.  
Reject
 
CVSS Version
2  
CVSS Score
5.5  
Severity
Medium  
CVSS Base Score
5.5  
CVSS Impact Subscore
4.9  
CVSS Exploit Subscore
8  
CVSS Vector
(AV:N/AC:L/Au:S/C:N/I:P/A:P)  
Pub Date
2017-01-07  
Published
2009-08-11  
Modified Date
2009-08-26  
Seq
2009-2737  

Actions

Related NVD References

Id NVD Id NVD No. Reference Actions
252896 49970 CVE-2009-2737 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=518768  View
252897 49970 CVE-2009-2737 http://issues.roundup-tracker.org/issue2550521  View
252898 49970 CVE-2009-2737 DSA-1754  View
252899 49970 CVE-2009-2737 34059  View
252900 49970 CVE-2009-2737 https://bugzilla.redhat.com/show_bug.cgi?id=489355  View
252901 49970 CVE-2009-2737 FEDORA-2009-2583  View
252902 49970 CVE-2009-2737 FEDORA-2009-2591  View

Related JVN

Id Name Title Summary Cveinfo Name Cveinfo Id Nvdinfo Name Nvdinfo Id Cvssv2 Cvssv3 Jvnurl Published Date Last Updated Date Actions
45203 JVNDB-2009-006210 Roundup の cgi/actions.py におけるクラス内の任意の項目を変更される脆弱性 Roundup の cgi/actions.py の EditCSVAction 関数は、パーミッションを適切にチェックしないため、クラス内の任意の項目を変更される脆弱性が存在します。 CVE-2009-2737 40168 CVE-2009-2737 49970 5.5 http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-006210.html 2009-08-11 2012-12-20 View