CVE-2008-1474: Roundup vulnerability related to Cross-site scripting (XSS)
6.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.76409%
CWE
Published
5/1/2022
Updated
10/26/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
roundup | pip | < 1.4.4 | 1.4.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from multiple HTMLProperty subclasses in 'templating.py' whose plain()
methods lacked output escaping. The commit patching CVE-2008-1474 adds 'escape=1' parameters to these method calls and modifies the plain()
method signatures to support escaping. This directly addresses XSS by ensuring user-controlled data is HTML-encoded when rendered. The changes in templates (removing 'structure' directives) further confirm the XSS mitigation strategy. Each identified function corresponds to a property type that could render untrusted data without escaping prior to the patch.