CVE-2024-39126 – Roundup versions before 2.4.0 are vulnerable to... (How to Fix)

Q: What is the severity of CVE-2024-39126?

CVE-2024-39126 has a CVSS score of 5.4 (MEDIUM). Roundup versions before 2.4.0 are vulnerable to cross-site scripting (XSS) attacks when processing PDF, XML, and SVG documents containing malicious JavaScript. This allows attackers to execute arbitrary scripts in users' browsers when they view these documents. All Roundup installations using vulnerable versions are affected.

📋 TL;DR

Roundup versions before 2.4.0 are vulnerable to cross-site scripting (XSS) attacks when processing PDF, XML, and SVG documents containing malicious JavaScript. This allows attackers to execute arbitrary scripts in users' browsers when they view these documents. All Roundup installations using vulnerable versions are affected.

💻 Affected Systems

Products:

Roundup Issue Tracker

Versions: All versions before 2.4.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in document processing functionality; affects all installations regardless of configuration.

📦 What is this software?

Roundup by Roundup Tracker

View all CVEs affecting Roundup →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, deface the application, or redirect users to malicious sites.

🟠

Likely Case

Session hijacking, credential theft, or limited account compromise through social engineering.

🟢

If Mitigated

Minimal impact with proper content security policies and input validation in place.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction (viewing malicious document) and likely requires authenticated access to upload documents.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.0

Vendor Advisory: https://www.roundup-tracker.org/docs/security.html#cve-announcements

Restart Required: Yes

Instructions:

1. Backup your Roundup instance. 2. Upgrade to Roundup 2.4.0 or later using pip: 'pip install --upgrade roundup'. 3. Restart the Roundup service. 4. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Disable document uploads

all

Temporarily disable PDF, XML, and SVG file uploads in Roundup configuration.

Edit roundup configuration to remove or restrict file upload types

Implement content security policy

all

Add strict Content-Security-Policy headers to prevent script execution.

Add 'Content-Security-Policy: script-src 'self'' to web server configuration

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block malicious document uploads
Restrict document upload permissions to trusted users only

🔍 How to Verify

Check if Vulnerable:

Check Roundup version: if version is less than 2.4.0, system is vulnerable.

Check Version:

python -c "import roundup; print(roundup.__version__)"

Verify Fix Applied:

Confirm version is 2.4.0 or higher and test document upload functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual document uploads
Multiple failed upload attempts
Suspicious file names

Network Indicators:

Uploads of PDF/XML/SVG files containing script tags
Unusual outbound connections after document viewing

SIEM Query:

source="roundup.log" AND ("upload" OR "document") AND ("pdf" OR "xml" OR "svg")

📊 Metadata

CVE ID: CVE-2024-39126

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: July 17, 2024

Last Updated: March 13, 2025

🔗 References

https://www.roundup-tracker.org Product
https://www.roundup-tracker.org/docs/security.html#cve-announcements Vendor Advisory
https://www.roundup-tracker.org Product
https://www.roundup-tracker.org/docs/security.html#cve-announcements Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-39126, you might also want to check these: