The xml-rpc server in Roundup 1.4.4 does not check property permissions, which allows attackers to bypass restrictions and edit or read restricted properties via the (1) list, (2) display, and (3) set methods.
https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00478.html
https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00452.html
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00375.html
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00264.html
https://exchange.xforce.ibmcloud.com/vulnerabilities/41240
https://bugzilla.redhat.com/show_bug.cgi?id=436546
http://www.vupen.com/english/advisories/2008/0891
http://www.securityfocus.com/bid/28238
http://sourceforge.net/tracker/index.php?func=detail&aid=1907211&group_id=31577&atid=402788
http://security.gentoo.org/glsa/glsa-200805-21.xml
http://secunia.com/advisories/32805
http://secunia.com/advisories/30274