Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
53 vulnerabilities by Redmine
CVE-2026-1836 (GCVE-0-2026-1836)
Vulnerability from cvelistv5 – Published: 2026-06-12 13:23 – Updated: 2026-06-12 14:00
VLAI
Title
Stored credentials in Redmine
Summary
The system stores the username and password from the login form after submitting the request. This could allow an attacker with access to the platform to return to the browser and view the login credentials.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-257 - Storing passwords in a recoverable format
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.incibe.es/en/incibe-cert/notices/avis… | patch |
Impacted products
Date Public
2026-03-31 10:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1836",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T14:00:02.963086Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T14:00:11.755Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Redmine",
"vendor": "Redmine",
"versions": [
{
"lessThan": "6.0.7",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.1.10",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.0.14",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "6.0.7"
},
{
"status": "unaffected",
"version": "5.1.10"
},
{
"status": "unaffected",
"version": "5.0.14"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redmine:redmine:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.7",
"versionStartIncluding": "0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redmine:redmine:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.1.10",
"versionStartIncluding": "0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redmine:redmine:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.0.14",
"versionStartIncluding": "0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redmine:redmine:6.0.7:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:redmine:redmine:5.1.10:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:redmine:redmine:5.0.14:*:*:*:*:*:*:*",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"datePublic": "2026-03-31T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The system stores the username and password from the login form after submitting the request. This could allow an attacker with access to the platform to return to the browser and view the login credentials."
}
],
"value": "The system stores the username and password from the login form after submitting the request. This could allow an attacker with access to the platform to return to the browser and view the login credentials."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-257",
"description": "CWE-257 Storing passwords in a recoverable format",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T13:23:31.810Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/stored-credentials-redmine"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vulnerability has been fixed by Redmine team in versions 6.0.7, 5.1.10 and 5.0.14."
}
],
"value": "The vulnerability has been fixed by Redmine team in versions 6.0.7, 5.1.10 and 5.0.14."
}
],
"source": {
"defect": [
"David Rubio Lora"
],
"discovery": "EXTERNAL"
},
"title": "Stored credentials in Redmine",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2026-1836",
"datePublished": "2026-06-12T13:23:31.810Z",
"dateReserved": "2026-02-03T15:43:30.850Z",
"dateUpdated": "2026-06-12T14:00:11.755Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-37105 (GCVE-0-2020-37105)
Vulnerability from cvelistv5 – Published: 2026-02-03 16:52 – Updated: 2026-03-05 01:28
VLAI
Title
PMB 5.6 - 'logid' SQL Injection
Summary
PMB 5.6 contains a SQL injection vulnerability in the administration download script that allows authenticated attackers to execute arbitrary SQL commands through the 'logid' parameter. Attackers can leverage this vulnerability by sending crafted requests to the /admin/sauvegarde/download.php endpoint with manipulated logid values to interact with the database.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/48356 | exploit |
| http://www.sigb.net | product |
| http://forge.sigb.net/redmine/projects/pmb/files | product |
| https://www.vulncheck.com/advisories/pmb-logid-sq… | third-party-advisory |
Date Public
2020-04-20 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-37105",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-06T20:11:58.546226Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T20:12:06.843Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PMB",
"vendor": "redmine",
"versions": [
{
"status": "affected",
"version": "5.6"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sigb:pmb:5.6:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "41-trk (Tarik Bakir)"
}
],
"datePublic": "2020-04-20T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "PMB 5.6 contains a SQL injection vulnerability in the administration download script that allows authenticated attackers to execute arbitrary SQL commands through the \u0027logid\u0027 parameter. Attackers can leverage this vulnerability by sending crafted requests to the /admin/sauvegarde/download.php endpoint with manipulated logid values to interact with the database."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T01:28:01.173Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-48356",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/48356"
},
{
"name": "Vendor Homepage",
"tags": [
"product"
],
"url": "http://www.sigb.net"
},
{
"name": "Software Download Repository",
"tags": [
"product"
],
"url": "http://forge.sigb.net/redmine/projects/pmb/files"
},
{
"name": "VulnCheck Advisory: PMB 5.6 - \u0027logid\u0027 SQL Injection",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/pmb-logid-sql-injection"
}
],
"title": "PMB 5.6 - \u0027logid\u0027 SQL Injection",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2020-37105",
"datePublished": "2026-02-03T16:52:43.083Z",
"dateReserved": "2026-02-01T13:16:06.490Z",
"dateUpdated": "2026-03-05T01:28:01.173Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-47258 (GCVE-0-2023-47258)
Vulnerability from cvelistv5 – Published: 2023-11-05 00:00 – Updated: 2024-09-05 14:21
VLAI
Summary
Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS in a Markdown formatter.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- n/a
Assigner
References
1 reference
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:09:36.034Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-47258",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T14:21:13.550364Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T14:21:27.100Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS in a Markdown formatter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-05T03:14:35.371Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-47258",
"datePublished": "2023-11-05T00:00:00.000Z",
"dateReserved": "2023-11-05T00:00:00.000Z",
"dateUpdated": "2024-09-05T14:21:27.100Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-47259 (GCVE-0-2023-47259)
Vulnerability from cvelistv5 – Published: 2023-11-05 00:00 – Updated: 2024-09-05 14:20
VLAI
Summary
Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS in the Textile formatter.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- n/a
Assigner
References
1 reference
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:09:35.981Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-47259",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T14:20:17.501573Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T14:20:32.583Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS in the Textile formatter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-05T03:14:29.044Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-47259",
"datePublished": "2023-11-05T00:00:00.000Z",
"dateReserved": "2023-11-05T00:00:00.000Z",
"dateUpdated": "2024-09-05T14:20:32.583Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-47260 (GCVE-0-2023-47260)
Vulnerability from cvelistv5 – Published: 2023-11-05 00:00 – Updated: 2024-09-05 14:19
VLAI
Summary
Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS via thumbnails.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- n/a
Assigner
References
1 reference
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:09:35.974Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-47260",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T14:19:09.426086Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T14:19:21.481Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS via thumbnails."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-05T03:14:15.304Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-47260",
"datePublished": "2023-11-05T00:00:00.000Z",
"dateReserved": "2023-11-05T00:00:00.000Z",
"dateUpdated": "2024-09-05T14:19:21.481Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-44031 (GCVE-0-2022-44031)
Vulnerability from cvelistv5 – Published: 2022-12-12 00:00 – Updated: 2025-04-22 20:35
VLAI
Summary
Redmine before 4.2.9 and 5.0.x before 5.0.4 allows persistent XSS in its Textile formatter due to improper sanitization of the blockquote syntax in Textile-formatted fields.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:47:05.534Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-44031",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T20:34:27.433171Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T20:35:00.372Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Redmine before 4.2.9 and 5.0.x before 5.0.4 allows persistent XSS in its Textile formatter due to improper sanitization of the blockquote syntax in Textile-formatted fields."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-12T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-44031",
"datePublished": "2022-12-12T00:00:00.000Z",
"dateReserved": "2022-10-30T00:00:00.000Z",
"dateUpdated": "2025-04-22T20:35:00.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-44637 (GCVE-0-2022-44637)
Vulnerability from cvelistv5 – Published: 2022-12-12 00:00 – Updated: 2025-04-23 13:53
VLAI
Summary
Redmine before 4.2.9 and 5.0.x before 5.0.4 allows persistent XSS in its Textile formatter due to improper sanitization in Redcloth3 Textile-formatted fields. Depending on the configuration, this may require login as a registered user.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:54:04.089Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-44637",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T13:52:42.925806Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T13:53:41.810Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Redmine before 4.2.9 and 5.0.x before 5.0.4 allows persistent XSS in its Textile formatter due to improper sanitization in Redcloth3 Textile-formatted fields. Depending on the configuration, this may require login as a registered user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-12T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-44637",
"datePublished": "2022-12-12T00:00:00.000Z",
"dateReserved": "2022-11-03T00:00:00.000Z",
"dateUpdated": "2025-04-23T13:53:41.810Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-44030 (GCVE-0-2022-44030)
Vulnerability from cvelistv5 – Published: 2022-12-06 00:00 – Updated: 2025-04-23 16:15
VLAI
Summary
Redmine 5.x before 5.0.4 allows downloading of file attachments of any Issue or any Wiki page due to insufficient permission checks. Depending on the configuration, this may require login as a registered user.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-755 - Improper Handling of Exceptional Conditions
Assigner
References
2 references
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:47:05.489Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.redmine.org/news/139"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-44030",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T16:15:17.318601Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-755",
"description": "CWE-755 Improper Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:15:51.376Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Redmine 5.x before 5.0.4 allows downloading of file attachments of any Issue or any Wiki page due to insufficient permission checks. Depending on the configuration, this may require login as a registered user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-06T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"url": "https://www.redmine.org/news/139"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-44030",
"datePublished": "2022-12-06T00:00:00.000Z",
"dateReserved": "2022-10-30T00:00:00.000Z",
"dateUpdated": "2025-04-23T16:15:51.376Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-42326 (GCVE-0-2021-42326)
Vulnerability from cvelistv5 – Published: 2021-10-12 18:08 – Updated: 2024-08-04 03:30
VLAI
Summary
Redmine before 4.1.5 and 4.2.x before 4.2.3 may disclose the names of users on activity views due to an insufficient access filter.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://www.redmine.org/projects/redmine/wiki/Sec… | x_refsource_MISC |
| https://www.redmine.org/news/133 | x_refsource_MISC |
| https://www.redmine.org/projects/redmine/wiki/Cha… | x_refsource_MISC |
| https://www.redmine.org/projects/redmine/wiki/Cha… | x_refsource_MISC |
| https://lists.debian.org/debian-lts-announce/2021… | mailing-listx_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:30:38.434Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.redmine.org/news/133"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Changelog_4_2#423-2021-10-10"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Changelog_4_1#415-2021-10-10"
},
{
"name": "[debian-lts-announce] 20211018 [SECURITY] [DLA 2787-1] redmine security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00013.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Redmine before 4.1.5 and 4.2.x before 4.2.3 may disclose the names of users on activity views due to an insufficient access filter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-18T19:06:13.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.redmine.org/news/133"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Changelog_4_2#423-2021-10-10"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Changelog_4_1#415-2021-10-10"
},
{
"name": "[debian-lts-announce] 20211018 [SECURITY] [DLA 2787-1] redmine security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00013.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-42326",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Redmine before 4.1.5 and 4.2.x before 4.2.3 may disclose the names of users on activity views due to an insufficient access filter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories",
"refsource": "MISC",
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "https://www.redmine.org/news/133",
"refsource": "MISC",
"url": "https://www.redmine.org/news/133"
},
{
"name": "https://www.redmine.org/projects/redmine/wiki/Changelog_4_2#423-2021-10-10",
"refsource": "MISC",
"url": "https://www.redmine.org/projects/redmine/wiki/Changelog_4_2#423-2021-10-10"
},
{
"name": "https://www.redmine.org/projects/redmine/wiki/Changelog_4_1#415-2021-10-10",
"refsource": "MISC",
"url": "https://www.redmine.org/projects/redmine/wiki/Changelog_4_1#415-2021-10-10"
},
{
"name": "[debian-lts-announce] 20211018 [SECURITY] [DLA 2787-1] redmine security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00013.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-42326",
"datePublished": "2021-10-12T18:08:53.000Z",
"dateReserved": "2021-10-12T00:00:00.000Z",
"dateUpdated": "2024-08-04T03:30:38.434Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-37156 (GCVE-0-2021-37156)
Vulnerability from cvelistv5 – Published: 2021-08-05 20:36 – Updated: 2024-08-04 01:16
VLAI
Summary
Redmine 4.2.0 and 4.2.1 allow existing user sessions to continue upon enabling two-factor authentication for the user's account, but the intended behavior is for those sessions to be terminated.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.redmine.org/projects/redmine/wiki/Sec… | x_refsource_MISC |
| https://www.redmine.org/news/132 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:16:02.538Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.redmine.org/news/132"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Redmine 4.2.0 and 4.2.1 allow existing user sessions to continue upon enabling two-factor authentication for the user\u0027s account, but the intended behavior is for those sessions to be terminated."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-05T20:36:35.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.redmine.org/news/132"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-37156",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Redmine 4.2.0 and 4.2.1 allow existing user sessions to continue upon enabling two-factor authentication for the user\u0027s account, but the intended behavior is for those sessions to be terminated."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories",
"refsource": "MISC",
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "https://www.redmine.org/news/132",
"refsource": "MISC",
"url": "https://www.redmine.org/news/132"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-37156",
"datePublished": "2021-08-05T20:36:35.000Z",
"dateReserved": "2021-07-21T00:00:00.000Z",
"dateUpdated": "2024-08-04T01:16:02.538Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31863 (GCVE-0-2021-31863)
Vulnerability from cvelistv5 – Published: 2021-04-28 06:17 – Updated: 2024-08-03 23:10
VLAI
Summary
Insufficient input validation in the Git repository integration of Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows Redmine users to read arbitrary local files accessible by the application server process.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.redmine.org/projects/redmine/wiki/Sec… | x_refsource_MISC |
| https://www.redmine.org/news/131 | x_refsource_MISC |
| https://lists.debian.org/debian-lts-announce/2021… | mailing-listx_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:10:30.812Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.redmine.org/news/131"
},
{
"name": "[debian-lts-announce] 20210513 [SECURITY] [DLA 2658-1] redmine security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insufficient input validation in the Git repository integration of Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows Redmine users to read arbitrary local files accessible by the application server process."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-13T10:06:15.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.redmine.org/news/131"
},
{
"name": "[debian-lts-announce] 20210513 [SECURITY] [DLA 2658-1] redmine security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-31863",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Insufficient input validation in the Git repository integration of Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows Redmine users to read arbitrary local files accessible by the application server process."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories",
"refsource": "MISC",
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "https://www.redmine.org/news/131",
"refsource": "MISC",
"url": "https://www.redmine.org/news/131"
},
{
"name": "[debian-lts-announce] 20210513 [SECURITY] [DLA 2658-1] redmine security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-31863",
"datePublished": "2021-04-28T06:17:10.000Z",
"dateReserved": "2021-04-28T00:00:00.000Z",
"dateUpdated": "2024-08-03T23:10:30.812Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31864 (GCVE-0-2021-31864)
Vulnerability from cvelistv5 – Published: 2021-04-28 06:16 – Updated: 2024-08-03 23:10
VLAI
Summary
Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows attackers to bypass the add_issue_notes permission requirement by leveraging the incoming mail handler.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.redmine.org/projects/redmine/wiki/Sec… | x_refsource_MISC |
| https://www.redmine.org/news/131 | x_refsource_MISC |
| https://lists.debian.org/debian-lts-announce/2021… | mailing-listx_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:10:30.281Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.redmine.org/news/131"
},
{
"name": "[debian-lts-announce] 20210513 [SECURITY] [DLA 2658-1] redmine security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows attackers to bypass the add_issue_notes permission requirement by leveraging the incoming mail handler."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-13T10:06:12.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.redmine.org/news/131"
},
{
"name": "[debian-lts-announce] 20210513 [SECURITY] [DLA 2658-1] redmine security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-31864",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows attackers to bypass the add_issue_notes permission requirement by leveraging the incoming mail handler."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories",
"refsource": "MISC",
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "https://www.redmine.org/news/131",
"refsource": "MISC",
"url": "https://www.redmine.org/news/131"
},
{
"name": "[debian-lts-announce] 20210513 [SECURITY] [DLA 2658-1] redmine security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-31864",
"datePublished": "2021-04-28T06:16:57.000Z",
"dateReserved": "2021-04-28T00:00:00.000Z",
"dateUpdated": "2024-08-03T23:10:30.281Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31865 (GCVE-0-2021-31865)
Vulnerability from cvelistv5 – Published: 2021-04-28 06:16 – Updated: 2024-08-03 23:10
VLAI
Summary
Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows users to circumvent the allowed filename extensions of uploaded attachments.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.redmine.org/projects/redmine/wiki/Sec… | x_refsource_MISC |
| https://www.redmine.org/news/131 | x_refsource_MISC |
| https://lists.debian.org/debian-lts-announce/2021… | mailing-listx_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:10:30.259Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.redmine.org/news/131"
},
{
"name": "[debian-lts-announce] 20210513 [SECURITY] [DLA 2658-1] redmine security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows users to circumvent the allowed filename extensions of uploaded attachments."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-13T10:06:16.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.redmine.org/news/131"
},
{
"name": "[debian-lts-announce] 20210513 [SECURITY] [DLA 2658-1] redmine security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-31865",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows users to circumvent the allowed filename extensions of uploaded attachments."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories",
"refsource": "MISC",
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "https://www.redmine.org/news/131",
"refsource": "MISC",
"url": "https://www.redmine.org/news/131"
},
{
"name": "[debian-lts-announce] 20210513 [SECURITY] [DLA 2658-1] redmine security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-31865",
"datePublished": "2021-04-28T06:16:47.000Z",
"dateReserved": "2021-04-28T00:00:00.000Z",
"dateUpdated": "2024-08-03T23:10:30.259Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31866 (GCVE-0-2021-31866)
Vulnerability from cvelistv5 – Published: 2021-04-28 06:16 – Updated: 2024-08-03 23:10
VLAI
Summary
Redmine before 4.0.9 and 4.1.x before 4.1.3 allows an attacker to learn the values of internal authentication keys by observing timing differences in string comparison operations within SysController and MailHandlerController.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.redmine.org/projects/redmine/wiki/Sec… | x_refsource_MISC |
| https://www.redmine.org/news/131 | x_refsource_MISC |
| https://lists.debian.org/debian-lts-announce/2021… | mailing-listx_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:10:30.823Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.redmine.org/news/131"
},
{
"name": "[debian-lts-announce] 20210513 [SECURITY] [DLA 2658-1] redmine security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Redmine before 4.0.9 and 4.1.x before 4.1.3 allows an attacker to learn the values of internal authentication keys by observing timing differences in string comparison operations within SysController and MailHandlerController."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-13T10:06:14.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.redmine.org/news/131"
},
{
"name": "[debian-lts-announce] 20210513 [SECURITY] [DLA 2658-1] redmine security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-31866",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Redmine before 4.0.9 and 4.1.x before 4.1.3 allows an attacker to learn the values of internal authentication keys by observing timing differences in string comparison operations within SysController and MailHandlerController."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories",
"refsource": "MISC",
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "https://www.redmine.org/news/131",
"refsource": "MISC",
"url": "https://www.redmine.org/news/131"
},
{
"name": "[debian-lts-announce] 20210513 [SECURITY] [DLA 2658-1] redmine security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-31866",
"datePublished": "2021-04-28T06:16:31.000Z",
"dateReserved": "2021-04-28T00:00:00.000Z",
"dateUpdated": "2024-08-03T23:10:30.823Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-30163 (GCVE-0-2021-30163)
Vulnerability from cvelistv5 – Published: 2021-04-06 07:59 – Updated: 2024-08-03 22:24
VLAI
Summary
Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to discover the names of private projects if issue-journal details exist that have changes to project_id values.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.redmine.org/projects/redmine/wiki/Sec… | x_refsource_MISC |
| https://lists.debian.org/debian-lts-announce/2021… | mailing-listx_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:24:59.642Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "[debian-lts-announce] 20210513 [SECURITY] [DLA 2658-1] redmine security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to discover the names of private projects if issue-journal details exist that have changes to project_id values."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-13T10:06:17.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "[debian-lts-announce] 20210513 [SECURITY] [DLA 2658-1] redmine security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-30163",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to discover the names of private projects if issue-journal details exist that have changes to project_id values."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories",
"refsource": "MISC",
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "[debian-lts-announce] 20210513 [SECURITY] [DLA 2658-1] redmine security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-30163",
"datePublished": "2021-04-06T07:59:55.000Z",
"dateReserved": "2021-04-06T00:00:00.000Z",
"dateUpdated": "2024-08-03T22:24:59.642Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36306 (GCVE-0-2020-36306)
Vulnerability from cvelistv5 – Published: 2021-04-06 07:59 – Updated: 2024-08-04 17:23
VLAI
Summary
Redmine before 4.0.7 and 4.1.x before 4.1.1 has XSS via the back_url field.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.redmine.org/projects/redmine/wiki/Sec… | x_refsource_MISC |
| https://lists.debian.org/debian-lts-announce/2021… | mailing-listx_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:10.234Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "[debian-lts-announce] 20210513 [SECURITY] [DLA 2658-1] redmine security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Redmine before 4.0.7 and 4.1.x before 4.1.1 has XSS via the back_url field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-13T10:06:11.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "[debian-lts-announce] 20210513 [SECURITY] [DLA 2658-1] redmine security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-36306",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Redmine before 4.0.7 and 4.1.x before 4.1.1 has XSS via the back_url field."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories",
"refsource": "MISC",
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "[debian-lts-announce] 20210513 [SECURITY] [DLA 2658-1] redmine security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-36306",
"datePublished": "2021-04-06T07:59:42.000Z",
"dateReserved": "2021-04-06T00:00:00.000Z",
"dateUpdated": "2024-08-04T17:23:10.234Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36307 (GCVE-0-2020-36307)
Vulnerability from cvelistv5 – Published: 2021-04-06 07:59 – Updated: 2024-08-04 17:23
VLAI
Summary
Redmine before 4.0.7 and 4.1.x before 4.1.1 has stored XSS via textile inline links.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.redmine.org/projects/redmine/wiki/Sec… | x_refsource_MISC |
| https://lists.debian.org/debian-lts-announce/2021… | mailing-listx_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:10.072Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "[debian-lts-announce] 20210513 [SECURITY] [DLA 2658-1] redmine security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Redmine before 4.0.7 and 4.1.x before 4.1.1 has stored XSS via textile inline links."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-13T10:06:15.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "[debian-lts-announce] 20210513 [SECURITY] [DLA 2658-1] redmine security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-36307",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Redmine before 4.0.7 and 4.1.x before 4.1.1 has stored XSS via textile inline links."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories",
"refsource": "MISC",
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "[debian-lts-announce] 20210513 [SECURITY] [DLA 2658-1] redmine security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-36307",
"datePublished": "2021-04-06T07:59:32.000Z",
"dateReserved": "2021-04-06T00:00:00.000Z",
"dateUpdated": "2024-08-04T17:23:10.072Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36308 (GCVE-0-2020-36308)
Vulnerability from cvelistv5 – Published: 2021-04-06 07:59 – Updated: 2024-08-04 17:23
VLAI
Summary
Redmine before 4.0.7 and 4.1.x before 4.1.1 allows attackers to discover the subject of a non-visible issue by performing a CSV export and reading time entries.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.redmine.org/projects/redmine/wiki/Sec… | x_refsource_MISC |
| https://lists.debian.org/debian-lts-announce/2021… | mailing-listx_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:10.090Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "[debian-lts-announce] 20210513 [SECURITY] [DLA 2658-1] redmine security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Redmine before 4.0.7 and 4.1.x before 4.1.1 allows attackers to discover the subject of a non-visible issue by performing a CSV export and reading time entries."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-13T10:06:18.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "[debian-lts-announce] 20210513 [SECURITY] [DLA 2658-1] redmine security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-36308",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Redmine before 4.0.7 and 4.1.x before 4.1.1 allows attackers to discover the subject of a non-visible issue by performing a CSV export and reading time entries."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories",
"refsource": "MISC",
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "[debian-lts-announce] 20210513 [SECURITY] [DLA 2658-1] redmine security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-36308",
"datePublished": "2021-04-06T07:59:18.000Z",
"dateReserved": "2021-04-06T00:00:00.000Z",
"dateUpdated": "2024-08-04T17:23:10.090Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-25026 (GCVE-0-2019-25026)
Vulnerability from cvelistv5 – Published: 2021-04-06 07:59 – Updated: 2024-08-05 03:00
VLAI
Summary
Redmine before 3.4.13 and 4.x before 4.0.6 mishandles markup data during Textile formatting.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.redmine.org/projects/redmine/wiki/Sec… | x_refsource_MISC |
| https://lists.debian.org/debian-lts-announce/2021… | mailing-listx_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:00:18.884Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "[debian-lts-announce] 20210513 [SECURITY] [DLA 2658-1] redmine security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Redmine before 3.4.13 and 4.x before 4.0.6 mishandles markup data during Textile formatting."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-13T10:06:12.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "[debian-lts-announce] 20210513 [SECURITY] [DLA 2658-1] redmine security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-25026",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Redmine before 3.4.13 and 4.x before 4.0.6 mishandles markup data during Textile formatting."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories",
"refsource": "MISC",
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "[debian-lts-announce] 20210513 [SECURITY] [DLA 2658-1] redmine security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-25026",
"datePublished": "2021-04-06T07:59:04.000Z",
"dateReserved": "2021-04-06T00:00:00.000Z",
"dateUpdated": "2024-08-05T03:00:18.884Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-30164 (GCVE-0-2021-30164)
Vulnerability from cvelistv5 – Published: 2021-04-06 07:58 – Updated: 2024-08-03 22:24
VLAI
Summary
Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by leveraging the Issues API.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.redmine.org/projects/redmine/wiki/Sec… | x_refsource_MISC |
| https://lists.debian.org/debian-lts-announce/2021… | mailing-listx_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:24:59.685Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "[debian-lts-announce] 20210513 [SECURITY] [DLA 2658-1] redmine security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by leveraging the Issues API."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-13T10:06:13.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "[debian-lts-announce] 20210513 [SECURITY] [DLA 2658-1] redmine security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-30164",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by leveraging the Issues API."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories",
"refsource": "MISC",
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "[debian-lts-announce] 20210513 [SECURITY] [DLA 2658-1] redmine security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-30164",
"datePublished": "2021-04-06T07:58:51.000Z",
"dateReserved": "2021-04-06T00:00:00.000Z",
"dateUpdated": "2024-08-03T22:24:59.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-29274 (GCVE-0-2021-29274)
Vulnerability from cvelistv5 – Published: 2021-03-29 03:46 – Updated: 2024-08-03 22:02
VLAI
Summary
Redmine 4.1.x before 4.1.2 allows XSS because an issue's subject is mishandled in the auto complete tip.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.redmine.org/projects/redmine/wiki/Sec… | x_refsource_MISC |
| https://www.redmine.org/issues/33846 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:51.475Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.redmine.org/issues/33846"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Redmine 4.1.x before 4.1.2 allows XSS because an issue\u0027s subject is mishandled in the auto complete tip."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-29T05:12:41.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.redmine.org/issues/33846"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-29274",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Redmine 4.1.x before 4.1.2 allows XSS because an issue\u0027s subject is mishandled in the auto complete tip."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories",
"refsource": "MISC",
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "https://www.redmine.org/issues/33846",
"refsource": "MISC",
"url": "https://www.redmine.org/issues/33846"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-29274",
"datePublished": "2021-03-29T03:46:59.000Z",
"dateReserved": "2021-03-29T00:00:00.000Z",
"dateUpdated": "2024-08-03T22:02:51.475Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-18890 (GCVE-0-2019-18890)
Vulnerability from cvelistv5 – Published: 2019-11-21 17:46 – Updated: 2024-08-05 02:02
VLAI
Summary
A SQL injection vulnerability in Redmine through 3.2.9 and 3.3.x before 3.3.10 allows Redmine users to access protected information via a crafted object query.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://www.redmine.org/projects/redmine/wiki/Sec… | x_refsource_MISC |
| https://security-tracker.debian.org/tracker/CVE-2… | x_refsource_MISC |
| https://www.debian.org/security/2019/dsa-4574 | vendor-advisoryx_refsource_DEBIAN |
| https://seclists.org/bugtraq/2019/Nov/31 | mailing-listx_refsource_BUGTRAQ |
| https://usn.ubuntu.com/4200-1/ | vendor-advisoryx_refsource_UBUNTU |
| https://github.com/RealLinkers/CVE-2019-18890 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:02:39.820Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2019-18890"
},
{
"name": "DSA-4574",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2019/dsa-4574"
},
{
"name": "20191119 [SECURITY] [DSA 4574-1] redmine security update",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "https://seclists.org/bugtraq/2019/Nov/31"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.debian.org/security/2019/dsa-4574"
},
{
"name": "USN-4200-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4200-1/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/RealLinkers/CVE-2019-18890"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A SQL injection vulnerability in Redmine through 3.2.9 and 3.3.x before 3.3.10 allows Redmine users to access protected information via a crafted object query."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-07T14:50:44.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2019-18890"
},
{
"name": "DSA-4574",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2019/dsa-4574"
},
{
"name": "20191119 [SECURITY] [DSA 4574-1] redmine security update",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "https://seclists.org/bugtraq/2019/Nov/31"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.debian.org/security/2019/dsa-4574"
},
{
"name": "USN-4200-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4200-1/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RealLinkers/CVE-2019-18890"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-18890",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A SQL injection vulnerability in Redmine through 3.2.9 and 3.3.x before 3.3.10 allows Redmine users to access protected information via a crafted object query."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories",
"refsource": "MISC",
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "https://security-tracker.debian.org/tracker/CVE-2019-18890",
"refsource": "MISC",
"url": "https://security-tracker.debian.org/tracker/CVE-2019-18890"
},
{
"name": "DSA-4574",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2019/dsa-4574"
},
{
"name": "20191119 [SECURITY] [DSA 4574-1] redmine security update",
"refsource": "BUGTRAQ",
"url": "https://seclists.org/bugtraq/2019/Nov/31"
},
{
"name": "https://www.debian.org/security/2019/dsa-4574",
"refsource": "MISC",
"url": "https://www.debian.org/security/2019/dsa-4574"
},
{
"name": "USN-4200-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4200-1/"
},
{
"name": "https://github.com/RealLinkers/CVE-2019-18890",
"refsource": "MISC",
"url": "https://github.com/RealLinkers/CVE-2019-18890"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-18890",
"datePublished": "2019-11-21T17:46:41.000Z",
"dateReserved": "2019-11-12T00:00:00.000Z",
"dateUpdated": "2024-08-05T02:02:39.820Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-17427 (GCVE-0-2019-17427)
Vulnerability from cvelistv5 – Published: 2019-10-10 00:42 – Updated: 2024-08-05 01:40
VLAI
Summary
In Redmine before 3.4.11 and 4.0.x before 4.0.4, persistent XSS exists due to textile formatting errors.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://www.redmine.org/projects/redmine/wiki/Sec… | x_refsource_MISC |
| https://www.debian.org/security/2019/dsa-4574 | vendor-advisoryx_refsource_DEBIAN |
| https://seclists.org/bugtraq/2019/Nov/31 | mailing-listx_refsource_BUGTRAQ |
| https://usn.ubuntu.com/4200-1/ | vendor-advisoryx_refsource_UBUNTU |
| https://github.com/RealLinkers/CVE-2019-17427 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:40:15.424Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "DSA-4574",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2019/dsa-4574"
},
{
"name": "20191119 [SECURITY] [DSA 4574-1] redmine security update",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "https://seclists.org/bugtraq/2019/Nov/31"
},
{
"name": "USN-4200-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4200-1/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/RealLinkers/CVE-2019-17427"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Redmine before 3.4.11 and 4.0.x before 4.0.4, persistent XSS exists due to textile formatting errors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-07T18:37:11.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "DSA-4574",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2019/dsa-4574"
},
{
"name": "20191119 [SECURITY] [DSA 4574-1] redmine security update",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "https://seclists.org/bugtraq/2019/Nov/31"
},
{
"name": "USN-4200-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4200-1/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RealLinkers/CVE-2019-17427"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17427",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Redmine before 3.4.11 and 4.0.x before 4.0.4, persistent XSS exists due to textile formatting errors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories",
"refsource": "MISC",
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "DSA-4574",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2019/dsa-4574"
},
{
"name": "20191119 [SECURITY] [DSA 4574-1] redmine security update",
"refsource": "BUGTRAQ",
"url": "https://seclists.org/bugtraq/2019/Nov/31"
},
{
"name": "USN-4200-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4200-1/"
},
{
"name": "https://github.com/RealLinkers/CVE-2019-17427",
"refsource": "MISC",
"url": "https://github.com/RealLinkers/CVE-2019-17427"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-17427",
"datePublished": "2019-10-10T00:42:09.000Z",
"dateReserved": "2019-10-10T00:00:00.000Z",
"dateUpdated": "2024-08-05T01:40:15.424Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-18026 (GCVE-0-2017-18026)
Vulnerability from cvelistv5 – Published: 2018-01-10 09:00 – Updated: 2024-08-05 21:06
VLAI
Summary
Redmine before 3.2.9, 3.3.x before 3.3.6, and 3.4.x before 3.4.4 does not block the --config and --debugger flags to the Mercurial hg program, which allows remote attackers to execute arbitrary commands (through the Mercurial adapter) via vectors involving a branch whose name begins with a --config= or --debugger= substring, a related issue to CVE-2017-17536.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://www.redmine.org/issues/27516 | x_refsource_MISC |
| https://github.com/redmine/redmine/commit/58ed865… | x_refsource_MISC |
| https://www.debian.org/security/2018/dsa-4191 | vendor-advisoryx_refsource_DEBIAN |
| https://www.redmine.org/projects/redmine/wiki/Sec… | x_refsource_MISC |
| https://github.com/redmine/redmine/commit/ca87bf7… | x_refsource_MISC |
| https://github.com/redmine/redmine/commit/9d79740… | x_refsource_MISC |
Date Public
2018-01-10 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:06:50.143Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.redmine.org/issues/27516"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/redmine/redmine/commit/58ed8655136ff2fe5ff7796859bf6a399c76c678"
},
{
"name": "DSA-4191",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4191"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/redmine/redmine/commit/ca87bf766cdc70179cb2dce03015d78ec9c13ebd"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/redmine/redmine/commit/9d797400eaec5f9fa7ba9507c82d9c18cb91d02e"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-01-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Redmine before 3.2.9, 3.3.x before 3.3.6, and 3.4.x before 3.4.4 does not block the --config and --debugger flags to the Mercurial hg program, which allows remote attackers to execute arbitrary commands (through the Mercurial adapter) via vectors involving a branch whose name begins with a --config= or --debugger= substring, a related issue to CVE-2017-17536."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-04T09:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.redmine.org/issues/27516"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/redmine/redmine/commit/58ed8655136ff2fe5ff7796859bf6a399c76c678"
},
{
"name": "DSA-4191",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4191"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/redmine/redmine/commit/ca87bf766cdc70179cb2dce03015d78ec9c13ebd"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/redmine/redmine/commit/9d797400eaec5f9fa7ba9507c82d9c18cb91d02e"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18026",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Redmine before 3.2.9, 3.3.x before 3.3.6, and 3.4.x before 3.4.4 does not block the --config and --debugger flags to the Mercurial hg program, which allows remote attackers to execute arbitrary commands (through the Mercurial adapter) via vectors involving a branch whose name begins with a --config= or --debugger= substring, a related issue to CVE-2017-17536."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.redmine.org/issues/27516",
"refsource": "MISC",
"url": "https://www.redmine.org/issues/27516"
},
{
"name": "https://github.com/redmine/redmine/commit/58ed8655136ff2fe5ff7796859bf6a399c76c678",
"refsource": "MISC",
"url": "https://github.com/redmine/redmine/commit/58ed8655136ff2fe5ff7796859bf6a399c76c678"
},
{
"name": "DSA-4191",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4191"
},
{
"name": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories",
"refsource": "MISC",
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "https://github.com/redmine/redmine/commit/ca87bf766cdc70179cb2dce03015d78ec9c13ebd",
"refsource": "MISC",
"url": "https://github.com/redmine/redmine/commit/ca87bf766cdc70179cb2dce03015d78ec9c13ebd"
},
{
"name": "https://github.com/redmine/redmine/commit/9d797400eaec5f9fa7ba9507c82d9c18cb91d02e",
"refsource": "MISC",
"url": "https://github.com/redmine/redmine/commit/9d797400eaec5f9fa7ba9507c82d9c18cb91d02e"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18026",
"datePublished": "2018-01-10T09:00:00.000Z",
"dateReserved": "2018-01-10T00:00:00.000Z",
"dateUpdated": "2024-08-05T21:06:50.143Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-16804 (GCVE-0-2017-16804)
Vulnerability from cvelistv5 – Published: 2017-11-13 20:00 – Updated: 2024-08-05 20:35
VLAI
Summary
In Redmine before 3.2.7 and 3.3.x before 3.3.4, the reminders function in app/models/mailer.rb does not check whether an issue is visible, which allows remote authenticated users to obtain sensitive information by reading e-mail reminder messages.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.redmine.org/projects/redmine/wiki/Sec… | x_refsource_CONFIRM |
| https://github.com/redmine/redmine/commit/0f09f16… | x_refsource_CONFIRM |
| https://www.debian.org/security/2018/dsa-4191 | vendor-advisoryx_refsource_DEBIAN |
| https://www.redmine.org/issues/25713 | x_refsource_CONFIRM |
Date Public
2017-11-13 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:35:21.015Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/redmine/redmine/commit/0f09f161f64f4190a52166675ff380a15b72a8bc"
},
{
"name": "DSA-4191",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4191"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.redmine.org/issues/25713"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-11-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In Redmine before 3.2.7 and 3.3.x before 3.3.4, the reminders function in app/models/mailer.rb does not check whether an issue is visible, which allows remote authenticated users to obtain sensitive information by reading e-mail reminder messages."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-04T09:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/redmine/redmine/commit/0f09f161f64f4190a52166675ff380a15b72a8bc"
},
{
"name": "DSA-4191",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4191"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.redmine.org/issues/25713"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-16804",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Redmine before 3.2.7 and 3.3.x before 3.3.4, the reminders function in app/models/mailer.rb does not check whether an issue is visible, which allows remote authenticated users to obtain sensitive information by reading e-mail reminder messages."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories",
"refsource": "CONFIRM",
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "https://github.com/redmine/redmine/commit/0f09f161f64f4190a52166675ff380a15b72a8bc",
"refsource": "CONFIRM",
"url": "https://github.com/redmine/redmine/commit/0f09f161f64f4190a52166675ff380a15b72a8bc"
},
{
"name": "DSA-4191",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4191"
},
{
"name": "https://www.redmine.org/issues/25713",
"refsource": "CONFIRM",
"url": "https://www.redmine.org/issues/25713"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-16804",
"datePublished": "2017-11-13T20:00:00.000Z",
"dateReserved": "2017-11-13T00:00:00.000Z",
"dateUpdated": "2024-08-05T20:35:21.015Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-15577 (GCVE-0-2017-15577)
Vulnerability from cvelistv5 – Published: 2017-10-18 02:00 – Updated: 2024-08-05 19:57
VLAI
Summary
Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles the rendering of wiki links, which allows remote attackers to obtain sensitive information.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.redmine.org/projects/redmine/wiki/Sec… | x_refsource_CONFIRM |
| https://www.debian.org/security/2018/dsa-4191 | vendor-advisoryx_refsource_DEBIAN |
| https://www.redmine.org/issues/23793 | x_refsource_CONFIRM |
Date Public
2017-10-17 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:57:27.038Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "DSA-4191",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4191"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.redmine.org/issues/23793"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-10-17T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles the rendering of wiki links, which allows remote attackers to obtain sensitive information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-04T09:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "DSA-4191",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4191"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.redmine.org/issues/23793"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-15577",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles the rendering of wiki links, which allows remote attackers to obtain sensitive information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories",
"refsource": "CONFIRM",
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "DSA-4191",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4191"
},
{
"name": "https://www.redmine.org/issues/23793",
"refsource": "CONFIRM",
"url": "https://www.redmine.org/issues/23793"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-15577",
"datePublished": "2017-10-18T02:00:00.000Z",
"dateReserved": "2017-10-17T00:00:00.000Z",
"dateUpdated": "2024-08-05T19:57:27.038Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-15576 (GCVE-0-2017-15576)
Vulnerability from cvelistv5 – Published: 2017-10-18 02:00 – Updated: 2024-08-05 19:57
VLAI
Summary
Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles Time Entry rendering in activity views, which allows remote attackers to obtain sensitive information.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.redmine.org/projects/redmine/wiki/Sec… | x_refsource_CONFIRM |
| https://www.redmine.org/issues/23803 | x_refsource_CONFIRM |
| https://www.debian.org/security/2018/dsa-4191 | vendor-advisoryx_refsource_DEBIAN |
Date Public
2017-10-17 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:57:27.032Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.redmine.org/issues/23803"
},
{
"name": "DSA-4191",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4191"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-10-17T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles Time Entry rendering in activity views, which allows remote attackers to obtain sensitive information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-04T09:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.redmine.org/issues/23803"
},
{
"name": "DSA-4191",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4191"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-15576",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles Time Entry rendering in activity views, which allows remote attackers to obtain sensitive information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories",
"refsource": "CONFIRM",
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "https://www.redmine.org/issues/23803",
"refsource": "CONFIRM",
"url": "https://www.redmine.org/issues/23803"
},
{
"name": "DSA-4191",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4191"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-15576",
"datePublished": "2017-10-18T02:00:00.000Z",
"dateReserved": "2017-10-17T00:00:00.000Z",
"dateUpdated": "2024-08-05T19:57:27.032Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-15569 (GCVE-0-2017-15569)
Vulnerability from cvelistv5 – Published: 2017-10-18 02:00 – Updated: 2024-08-05 19:57
VLAI
Summary
In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/helpers/queries_helper.rb via a multi-value field with a crafted value that is mishandled during rendering of an issue list.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.redmine.org/projects/redmine/wiki/Sec… | x_refsource_CONFIRM |
| https://www.debian.org/security/2018/dsa-4191 | vendor-advisoryx_refsource_DEBIAN |
| https://www.redmine.org/issues/27186 | x_refsource_CONFIRM |
| https://github.com/redmine/redmine/commit/56c8ee0… | x_refsource_CONFIRM |
Date Public
2017-10-17 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:57:27.010Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "DSA-4191",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4191"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.redmine.org/issues/27186"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/redmine/redmine/commit/56c8ee0440d8555aa7822d947ba9091c8a791508"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-10-17T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/helpers/queries_helper.rb via a multi-value field with a crafted value that is mishandled during rendering of an issue list."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-04T09:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "DSA-4191",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4191"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.redmine.org/issues/27186"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/redmine/redmine/commit/56c8ee0440d8555aa7822d947ba9091c8a791508"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-15569",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/helpers/queries_helper.rb via a multi-value field with a crafted value that is mishandled during rendering of an issue list."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories",
"refsource": "CONFIRM",
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "DSA-4191",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4191"
},
{
"name": "https://www.redmine.org/issues/27186",
"refsource": "CONFIRM",
"url": "https://www.redmine.org/issues/27186"
},
{
"name": "https://github.com/redmine/redmine/commit/56c8ee0440d8555aa7822d947ba9091c8a791508",
"refsource": "CONFIRM",
"url": "https://github.com/redmine/redmine/commit/56c8ee0440d8555aa7822d947ba9091c8a791508"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-15569",
"datePublished": "2017-10-18T02:00:00.000Z",
"dateReserved": "2017-10-17T00:00:00.000Z",
"dateUpdated": "2024-08-05T19:57:27.010Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-15573 (GCVE-0-2017-15573)
Vulnerability from cvelistv5 – Published: 2017-10-18 02:00 – Updated: 2024-08-05 19:57
VLAI
Summary
In Redmine before 3.2.6 and 3.3.x before 3.3.3, XSS exists because markup is mishandled in wiki content.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.redmine.org/projects/redmine/wiki/Sec… | x_refsource_CONFIRM |
| https://www.debian.org/security/2018/dsa-4191 | vendor-advisoryx_refsource_DEBIAN |
| https://www.redmine.org/issues/25503 | x_refsource_CONFIRM |
Date Public
2017-10-17 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:57:27.050Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "DSA-4191",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4191"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.redmine.org/issues/25503"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-10-17T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In Redmine before 3.2.6 and 3.3.x before 3.3.3, XSS exists because markup is mishandled in wiki content."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-04T09:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "DSA-4191",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4191"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.redmine.org/issues/25503"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-15573",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Redmine before 3.2.6 and 3.3.x before 3.3.3, XSS exists because markup is mishandled in wiki content."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories",
"refsource": "CONFIRM",
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "DSA-4191",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4191"
},
{
"name": "https://www.redmine.org/issues/25503",
"refsource": "CONFIRM",
"url": "https://www.redmine.org/issues/25503"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-15573",
"datePublished": "2017-10-18T02:00:00.000Z",
"dateReserved": "2017-10-17T00:00:00.000Z",
"dateUpdated": "2024-08-05T19:57:27.050Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-15570 (GCVE-0-2017-15570)
Vulnerability from cvelistv5 – Published: 2017-10-18 02:00 – Updated: 2024-08-05 19:57
VLAI
Summary
In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/views/timelog/_list.html.erb via crafted column data.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.redmine.org/projects/redmine/wiki/Sec… | x_refsource_CONFIRM |
| https://github.com/redmine/redmine/commit/1a09764… | x_refsource_CONFIRM |
| https://www.debian.org/security/2018/dsa-4191 | vendor-advisoryx_refsource_DEBIAN |
| https://www.redmine.org/issues/27186 | x_refsource_CONFIRM |
Date Public
2017-10-17 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:57:27.047Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/redmine/redmine/commit/1a0976417975a128b0a932ba1552c37e9414953b"
},
{
"name": "DSA-4191",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4191"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.redmine.org/issues/27186"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-10-17T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/views/timelog/_list.html.erb via crafted column data."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-04T09:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/redmine/redmine/commit/1a0976417975a128b0a932ba1552c37e9414953b"
},
{
"name": "DSA-4191",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4191"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.redmine.org/issues/27186"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-15570",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/views/timelog/_list.html.erb via crafted column data."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories",
"refsource": "CONFIRM",
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
},
{
"name": "https://github.com/redmine/redmine/commit/1a0976417975a128b0a932ba1552c37e9414953b",
"refsource": "CONFIRM",
"url": "https://github.com/redmine/redmine/commit/1a0976417975a128b0a932ba1552c37e9414953b"
},
{
"name": "DSA-4191",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4191"
},
{
"name": "https://www.redmine.org/issues/27186",
"refsource": "CONFIRM",
"url": "https://www.redmine.org/issues/27186"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-15570",
"datePublished": "2017-10-18T02:00:00.000Z",
"dateReserved": "2017-10-17T00:00:00.000Z",
"dateUpdated": "2024-08-05T19:57:27.047Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}