CVE-2025-53865
BaseFortify
Publication date: 2025-07-13
Last updated on: 2025-07-15
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| roundup | issue_tracker | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-53865 is a Cross-Site Scripting (XSS) vulnerability in the Roundup issue tracker software versions before 2.5.0, specifically affecting the 'devel' and 'responsive' templates. It occurs because these templates use unsafe TAL template constructs: the 'structure' keyword with '.plain' representations allows unescaped HTML rendering, and 'tal:replace' inserts unescaped user-controlled content. This enables attackers to inject and execute arbitrary JavaScript via crafted URL query parameters or other inputs. The classic template has avoided these issues for many years. The vulnerability was fixed in Roundup version 2.5.0 by removing the 'structure' keyword in these contexts and replacing 'tal:replace' with safer constructs that properly escape content. [1, 2]
How can this vulnerability impact me? :
This XSS vulnerability can allow attackers to execute arbitrary JavaScript in the context of the Roundup issue tracker web application. This can lead to unauthorized actions such as stealing user session cookies, performing actions on behalf of authenticated users, defacing the web interface, or redirecting users to malicious sites. Essentially, it compromises the security and integrity of the application and its users by enabling client-side code injection through crafted URLs or inputs. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect the vulnerability by searching your Roundup issue tracker template files for unsafe TAL template constructs. Specifically, look for the use of the `structure` keyword with `.plain` representations and the use of `tal:replace` with unescaped user input. On Unix-like systems, you can run the following commands in your tracker's `html` template directory to find vulnerable patterns: 1. To find `structure` usage with `.plain`: `grep 'structure.*/plain' *.html` 2. To find instances of `tal:replace` that may be unsafe, manually audit template files such as `_generic.collision.html`, `bug.item.html`, `keyword.item.html`, `milestone.item.html`, `msg.item.html`, `task.item.html`, and `user.item.html` for `<span tal:replace="context/MUMBLE" />` constructs. Manual verification is recommended to confirm if these constructs are present and vulnerable. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Upgrade your Roundup installation to version 2.5.0 or later, where this vulnerability is fixed. 2. If upgrading is not immediately possible, manually fix the vulnerable templates by: - Removing the `structure` keyword when used with `.plain` representations by replacing `tal:content="structure context/MUMBLE/plain"` with `tal:content="context/MUMBLE/plain"`. This can be done with: `sed -i.bak -e '/structure.*\/plain/s/structure.//' *.html` - Replacing unsafe `<span tal:replace="context/MUMBLE" />` constructs with `<tal:x tal:content="context/MUMBLE" />` in affected template files. - In `page.html`, change `<p class="label"><b tal:replace="request/user/username">username</b></p>` to `<p class="label"><b tal:replace="python:request.user.username.plain(escape=1)">username</b></p>` to ensure proper escaping. 3. Backup template files before making changes. 4. Audit all templates for similar unsafe TAL constructs and apply the fixes accordingly. These steps will mitigate the XSS vulnerability until a full upgrade can be performed. [2, 1]