CVE-2021-31865
https://notcve.org/view.php?id=CVE-2021-31865
Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows users to circumvent the allowed filename extensions of uploaded attachments. Redmine versiones anteriores a 4.0.9, versiones 4.1.x anteriores a 4.1.3 y versiones 4.2.x anteriores a 4.2.1, permite a usuarios omitir unas extensiones de nombre de archivo permitidas de archivos adjuntos cargados • https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html https://www.redmine.org/news/131 https://www.redmine.org/projects/redmine/wiki/Security_Advisories •
CVE-2021-31866
https://notcve.org/view.php?id=CVE-2021-31866
Redmine before 4.0.9 and 4.1.x before 4.1.3 allows an attacker to learn the values of internal authentication keys by observing timing differences in string comparison operations within SysController and MailHandlerController. Redmine versiones anteriores a 4.0.9 y versiones 4.1.x anteriores a 4.1.3, permite a un atacante aprender los valores de las claves de autenticación internas al observar las diferencias de tiempo en las operaciones de comparación de cadenas dentro de las funciones SysController y MailHandlerController • https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html https://www.redmine.org/news/131 https://www.redmine.org/projects/redmine/wiki/Security_Advisories • CWE-203: Observable Discrepancy •
CVE-2021-30163
https://notcve.org/view.php?id=CVE-2021-30163
Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to discover the names of private projects if issue-journal details exist that have changes to project_id values. Redmine versiones anteriores a 4.0.8 y versiones 4.1.x anteriores a 4.1.2, permite a atacantes detectar los nombres de proyectos privados si se presentan detalles del diario de problemas que poseen cambios en unos valores de project_id • https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html https://www.redmine.org/projects/redmine/wiki/Security_Advisories •
CVE-2020-36306
https://notcve.org/view.php?id=CVE-2020-36306
Redmine before 4.0.7 and 4.1.x before 4.1.1 has XSS via the back_url field. Redmine versiones anteriores a 4.0.7 y versiones 4.1.x anteriores a 4.1.1, presenta un ataque de tipo XSS por medio del campo back_url • https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html https://www.redmine.org/projects/redmine/wiki/Security_Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-36307
https://notcve.org/view.php?id=CVE-2020-36307
Redmine before 4.0.7 and 4.1.x before 4.1.1 has stored XSS via textile inline links. Redmine versiones anteriores a 4.0.7 y versiones 4.1.x anteriores a 4.1.1, presenta un ataque de tipo XSS almacenado por medio de enlaces en línea de textile • https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html https://www.redmine.org/projects/redmine/wiki/Security_Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •