Login Sign Up

CVE-2024-39124

5.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

This Cross-Site Scripting (XSS) vulnerability in Roundup's classhelpers (_generic.help.html) allows attackers to inject malicious scripts into web pages. It affects all Roundup installations before version 2.4.0. Attackers could steal session cookies, redirect users, or perform actions on behalf of authenticated users.

💻 Affected Systems

Products:
  • Roundup Issue Tracker
Versions: All versions before 2.4.0
Operating Systems: All operating systems running Roundup
Default Config Vulnerable: ⚠️ Yes
Notes: All Roundup installations using the vulnerable classhelpers are affected regardless of configuration.

📦 What is this software?

Roundup by Roundup Tracker

View all CVEs affecting Roundup →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator session cookies, gain full administrative access to the Roundup instance, and potentially compromise the entire tracking system and connected infrastructure.

🟠

Likely Case

Attackers steal user session cookies to access private issue data, modify tickets, or perform unauthorized actions within the tracking system.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are neutralized before execution, preventing any impact.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

XSS vulnerabilities typically have low exploitation complexity, but this requires user interaction or social engineering to trigger.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.0

Vendor Advisory: https://www.roundup-tracker.org/docs/security.html#cve-announcements

Restart Required: Yes

Instructions:

1. Backup your Roundup instance and database. 2. Upgrade to Roundup 2.4.0 or later using pip: 'pip install --upgrade roundup'. 3. Restart the Roundup web server. 4. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Input Sanitization

all

Implement strict input validation and output encoding for all user-supplied data in classhelpers.

Content Security Policy

all

Implement a strict Content Security Policy header to restrict script execution sources.

🧯 If You Can't Patch

  • Implement a Web Application Firewall (WAF) with XSS protection rules
  • Disable or restrict access to vulnerable classhelpers if not essential

🔍 How to Verify

Check if Vulnerable:

Check Roundup version: 'python -c "import roundup; print(roundup.__version__)"' - if version is less than 2.4.0, you are vulnerable.

Check Version:

python -c "import roundup; print(roundup.__version__)"

Verify Fix Applied:

After upgrading, verify version is 2.4.0 or higher using the same command and test XSS payloads are properly sanitized.

📡 Detection & Monitoring

Log Indicators:

  • Unusual script tags or JavaScript in HTTP requests
  • Multiple failed XSS attempts in web server logs

Network Indicators:

  • Suspicious outbound connections after visiting Roundup pages
  • Unexpected data exfiltration patterns

SIEM Query:

source="web_server_logs" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=") AND uri="*roundup*"

📊 Metadata

CVE ID: CVE-2024-39124
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: July 17, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-39124, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)