CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-30163
https://notcve.org/view.php?id=CVE-2021-30163
06 Apr 2021 — Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to discover the names of private projects if issue-journal details exist that have changes to project_id values. Redmine versiones anteriores a 4.0.8 y versiones 4.1.x anteriores a 4.1.2, permite a atacantes detectar los nombres de proyectos privados si se presentan detalles del diario de problemas que poseen cambios en unos valores de project_id • https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2020-36306
https://notcve.org/view.php?id=CVE-2020-36306
06 Apr 2021 — Redmine before 4.0.7 and 4.1.x before 4.1.1 has XSS via the back_url field. Redmine versiones anteriores a 4.0.7 y versiones 4.1.x anteriores a 4.1.1, presenta un ataque de tipo XSS por medio del campo back_url • https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2020-36307
https://notcve.org/view.php?id=CVE-2020-36307
06 Apr 2021 — Redmine before 4.0.7 and 4.1.x before 4.1.1 has stored XSS via textile inline links. Redmine versiones anteriores a 4.0.7 y versiones 4.1.x anteriores a 4.1.1, presenta un ataque de tipo XSS almacenado por medio de enlaces en línea de textile • https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-36308
https://notcve.org/view.php?id=CVE-2020-36308
06 Apr 2021 — Redmine before 4.0.7 and 4.1.x before 4.1.1 allows attackers to discover the subject of a non-visible issue by performing a CSV export and reading time entries. Redmine versiones anteriores a 4.0.7 y versiones 4.1.x anteriores a 4.1.1, permite a atacantes detectar el tema de un problema no visible al llevar a cabo una exportación CSV y leer las entradas de tiempo • https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2019-25026
https://notcve.org/view.php?id=CVE-2019-25026
06 Apr 2021 — Redmine before 3.4.13 and 4.x before 4.0.6 mishandles markup data during Textile formatting. Redmine versiones anteriores a 3.4.13 y versiones 4.x anteriores a 4.0.6, maneja inapropiadamente unos datos de marcado durante el formateo de Textile • https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2021-30164
https://notcve.org/view.php?id=CVE-2021-30164
06 Apr 2021 — Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by leveraging the Issues API. Redmine versiones anteriores a 4.0.8 y versiones 4.1.x anteriores a 4.1.2, permite a atacantes omitir el requisito de permiso add_issue_notes al aprovechar la API Issues • https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html •
CVSS: 6.5EPSS: 28%CPEs: 2EXPL: 1CVE-2019-18890 – Debian Security Advisory 4574-1
https://notcve.org/view.php?id=CVE-2019-18890
20 Nov 2019 — A SQL injection vulnerability in Redmine through 3.2.9 and 3.3.x before 3.3.10 allows Redmine users to access protected information via a crafted object query. Una vulnerabilidad de inyección SQL en Redmine versiones hasta 3.2.9 y versiones 3.3.x anteriores a 3.3.10, permite a usuarios de Redmine acceder a información protegida por medio de una consulta de objeto diseñada. It was discovered that Redmine incorrectly handle certain inputs that could cause textile formatting errors. An attacker could possibly ... • https://github.com/RealLinkers/CVE-2019-18890 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 2%CPEs: 2EXPL: 1CVE-2019-17427 – Debian Security Advisory 4574-1
https://notcve.org/view.php?id=CVE-2019-17427
10 Oct 2019 — In Redmine before 3.4.11 and 4.0.x before 4.0.4, persistent XSS exists due to textile formatting errors. En Redmine versiones anteriores a 3.4.11 y versiones 4.0.x anteriores a 4.0.4, se presenta una vulnerabilidad de tipo XSS persistente debido a errores de formateo textile. It was discovered that Redmine incorrectly handle certain inputs that could cause textile formatting errors. An attacker could possibly use this issue to cause a XSS attack. It was discovered that an SQL injection could allow users to ... • https://github.com/RealLinkers/CVE-2019-17427 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2017-18026 – Debian Security Advisory 4191-1
https://notcve.org/view.php?id=CVE-2017-18026
10 Jan 2018 — Redmine before 3.2.9, 3.3.x before 3.3.6, and 3.4.x before 3.4.4 does not block the --config and --debugger flags to the Mercurial hg program, which allows remote attackers to execute arbitrary commands (through the Mercurial adapter) via vectors involving a branch whose name begins with a --config= or --debugger= substring, a related issue to CVE-2017-17536. Redmine en versiones anteriores a la 3.2.9, 3.3.x anteriores a 3.3.6 y 3.4.x anteriores a 3.4.4 no bloquea los flags --config y --debugger en el progr... • https://github.com/redmine/redmine/commit/58ed8655136ff2fe5ff7796859bf6a399c76c678 •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2017-16804 – Debian Security Advisory 4191-1
https://notcve.org/view.php?id=CVE-2017-16804
13 Nov 2017 — In Redmine before 3.2.7 and 3.3.x before 3.3.4, the reminders function in app/models/mailer.rb does not check whether an issue is visible, which allows remote authenticated users to obtain sensitive information by reading e-mail reminder messages. En Redmine en versiones anteriores a la 3.2.7 y las versiones 3.3.x anteriores a la 3.3.4, la función reminders en app/models/mailer.rb no comprueba si un problema es visible, lo que permite que usuarios remotos autenticados obtengan información sensible leyendo m... • https://github.com/redmine/redmine/commit/0f09f161f64f4190a52166675ff380a15b72a8bc • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •