CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-36308
https://notcve.org/view.php?id=CVE-2020-36308
Redmine before 4.0.7 and 4.1.x before 4.1.1 allows attackers to discover the subject of a non-visible issue by performing a CSV export and reading time entries. Redmine versiones anteriores a 4.0.7 y versiones 4.1.x anteriores a 4.1.1, permite a atacantes detectar el tema de un problema no visible al llevar a cabo una exportación CSV y leer las entradas de tiempo • https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html https://www.redmine.org/projects/redmine/wiki/Security_Advisories • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2019-25026
https://notcve.org/view.php?id=CVE-2019-25026
Redmine before 3.4.13 and 4.x before 4.0.6 mishandles markup data during Textile formatting. Redmine versiones anteriores a 3.4.13 y versiones 4.x anteriores a 4.0.6, maneja inapropiadamente unos datos de marcado durante el formateo de Textile • https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html https://www.redmine.org/projects/redmine/wiki/Security_Advisories •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2021-30164
https://notcve.org/view.php?id=CVE-2021-30164
Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by leveraging the Issues API. Redmine versiones anteriores a 4.0.8 y versiones 4.1.x anteriores a 4.1.2, permite a atacantes omitir el requisito de permiso add_issue_notes al aprovechar la API Issues • https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html https://www.redmine.org/projects/redmine/wiki/Security_Advisories •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 1CVE-2021-30158
https://notcve.org/view.php?id=CVE-2021-30158
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Blocked users are unable to use Special:ResetTokens. This has security relevance because a blocked user might have accidentally shared a token, or might know that a token has been compromised, and yet is not able to block any potential future use of the token by an unauthorized party. Se detectó un problema en MediaWiki versiones anteriores a 1.31.12 y versiones 1.32.x hasta 1.35.x anteriores a 1.35.2. Los usuarios bloqueados no pueden usar Special:ResetTokens. • https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/26UJGHF7LJDOCQN6A3Z4PM7PYRKENJHE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2OMSV7B2TCFBOCICN3B4SMQP5HVRJQIT https://phabricator.wikimedia.org/T277009 https://security.gentoo.org/glsa/202107-40 https://www.debian.org/security/2021/dsa-4889 • CWE-287: Improper Authentication •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 1CVE-2021-30151 – sidekiq: XSS via the queue name of the live-poll feature
https://notcve.org/view.php?id=CVE-2021-30151
Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue name of the live-poll feature when Internet Explorer is used. Sidekiq versiones hasta 5.1.3 y versiones 6.x hasta 6.2.0, permite un ataque de tipo XSS por medio del nombre queue de la funcionalidad live-poll cuando es usado Internet Explorer A cross-site scripting vulnerability was found in sidekiq via the queue name of the live-poll feature. A potential attacker can impersonate or masquerade as the victim user using this vulnerability when Internet Explorer is used. • https://github.com/mperham/sidekiq/issues/4852 https://lists.debian.org/debian-lts-announce/2022/03/msg00015.html https://lists.debian.org/debian-lts-announce/2023/03/msg00011.html https://access.redhat.com/security/cve/CVE-2021-30151 https://bugzilla.redhat.com/show_bug.cgi?id=2013503 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •