CVSS: 6.1EPSS: 2%CPEs: 2EXPL: 1CVE-2019-17427 – Debian Security Advisory 4574-1
https://notcve.org/view.php?id=CVE-2019-17427
10 Oct 2019 — In Redmine before 3.4.11 and 4.0.x before 4.0.4, persistent XSS exists due to textile formatting errors. En Redmine versiones anteriores a 3.4.11 y versiones 4.0.x anteriores a 4.0.4, se presenta una vulnerabilidad de tipo XSS persistente debido a errores de formateo textile. It was discovered that Redmine incorrectly handle certain inputs that could cause textile formatting errors. An attacker could possibly use this issue to cause a XSS attack. It was discovered that an SQL injection could allow users to ... • https://github.com/RealLinkers/CVE-2019-17427 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2017-18026 – Debian Security Advisory 4191-1
https://notcve.org/view.php?id=CVE-2017-18026
10 Jan 2018 — Redmine before 3.2.9, 3.3.x before 3.3.6, and 3.4.x before 3.4.4 does not block the --config and --debugger flags to the Mercurial hg program, which allows remote attackers to execute arbitrary commands (through the Mercurial adapter) via vectors involving a branch whose name begins with a --config= or --debugger= substring, a related issue to CVE-2017-17536. Redmine en versiones anteriores a la 3.2.9, 3.3.x anteriores a 3.3.6 y 3.4.x anteriores a 3.4.4 no bloquea los flags --config y --debugger en el progr... • https://github.com/redmine/redmine/commit/58ed8655136ff2fe5ff7796859bf6a399c76c678 •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2017-16804 – Debian Security Advisory 4191-1
https://notcve.org/view.php?id=CVE-2017-16804
13 Nov 2017 — In Redmine before 3.2.7 and 3.3.x before 3.3.4, the reminders function in app/models/mailer.rb does not check whether an issue is visible, which allows remote authenticated users to obtain sensitive information by reading e-mail reminder messages. En Redmine en versiones anteriores a la 3.2.7 y las versiones 3.3.x anteriores a la 3.3.4, la función reminders en app/models/mailer.rb no comprueba si un problema es visible, lo que permite que usuarios remotos autenticados obtengan información sensible leyendo m... • https://github.com/redmine/redmine/commit/0f09f161f64f4190a52166675ff380a15b72a8bc • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2017-15575 – Debian Security Advisory 4191-1
https://notcve.org/view.php?id=CVE-2017-15575
18 Oct 2017 — In Redmine before 3.2.6 and 3.3.x before 3.3.3, Redmine.pm lacks a check for whether the Repository module is enabled in a project's settings, which might allow remote attackers to obtain sensitive differences information or possibly have unspecified other impact. En Redmine en versiones anteriores a la 3.2.6 y 3.3.x en versiones anteriores a la 3.3.3, Redmine.pm no tiene verificación para cuando el módulo Repository está habilitado en la configuración de un proyecto, lo que podría permitir que atacantes re... • https://www.debian.org/security/2018/dsa-4191 •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2017-15574 – Debian Security Advisory 4191-1
https://notcve.org/view.php?id=CVE-2017-15574
18 Oct 2017 — In Redmine before 3.2.6 and 3.3.x before 3.3.3, stored XSS is possible by using an SVG document as an attachment. En Redmine en versiones anteriores a la 3.2.6 y 3.3.x en versiones anteriores a la 3.3.3, es posible que se realice Cross-Site Scripting (XSS) persistente empleando un documento SVG como adjunto. Multiple vulnerabilities were discovered in Redmine, a project management web application. They could lead to remote code execution, information disclosure or cross-site scripting attacks. • https://www.debian.org/security/2018/dsa-4191 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 10EXPL: 0CVE-2017-15569 – Debian Security Advisory 4191-1
https://notcve.org/view.php?id=CVE-2017-15569
18 Oct 2017 — In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/helpers/queries_helper.rb via a multi-value field with a crafted value that is mishandled during rendering of an issue list. En Redmine en versiones anteriores a la 3.2.8, 3.3.x en versiones anteriores a la 3.3.5 y 3.4.x en versiones anteriores a la 3.4.3, existe XSS en app/helpers/queries_helper.rb mediante un campo de múltiples valores con un valor manipulado que se gestiona de manera incorrecta durante la representació... • https://github.com/redmine/redmine/commit/56c8ee0440d8555aa7822d947ba9091c8a791508 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 10EXPL: 0CVE-2017-15570 – Debian Security Advisory 4191-1
https://notcve.org/view.php?id=CVE-2017-15570
18 Oct 2017 — In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/views/timelog/_list.html.erb via crafted column data. En Redmine en versiones anteriores a la 3.2.8, 3.3.x en versiones anteriores a la 3.3.5 y 3.4.x en versiones anteriores a la 3.4.3, existe XSS en app/views/timelog/_list.html.erb mediante datos de columna manipulados. Multiple vulnerabilities were discovered in Redmine, a project management web application. They could lead to remote code execution, information disclosu... • https://github.com/redmine/redmine/commit/1a0976417975a128b0a932ba1552c37e9414953b • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2017-15576 – Debian Security Advisory 4191-1
https://notcve.org/view.php?id=CVE-2017-15576
18 Oct 2017 — Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles Time Entry rendering in activity views, which allows remote attackers to obtain sensitive information. Redmine en versiones anteriores a la 3.2.6 y 3.3.x en versiones anteriores a la 3.3.3 gestiona de manera incorrecta la presentación Time Entry en vistas de actividad, lo que permite que atacantes remotos obtengan información sensible. Multiple vulnerabilities were discovered in Redmine, a project management web application. They could lead to remote co... • https://www.debian.org/security/2018/dsa-4191 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2017-15577 – Debian Security Advisory 4191-1
https://notcve.org/view.php?id=CVE-2017-15577
18 Oct 2017 — Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles the rendering of wiki links, which allows remote attackers to obtain sensitive information. Redmine en versiones anteriores a la 3.2.6 y 3.3.x en versiones anteriores a la 3.3.3 gestiona de manera incorrecta la presentación de enlaces wiki, lo que permite que atacantes remotos obtengan información sensible. Multiple vulnerabilities were discovered in Redmine, a project management web application. They could lead to remote code execution, information dis... • https://www.debian.org/security/2018/dsa-4191 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2017-15572 – Debian Security Advisory 4191-1
https://notcve.org/view.php?id=CVE-2017-15572
18 Oct 2017 — In Redmine before 3.2.6 and 3.3.x before 3.3.3, remote attackers can obtain sensitive information (password reset tokens) by reading a Referer log, because account/lost_password does not use a redirect. En Redmine en versiones anteriores a la 3.2.6 y 3.3.x en versiones anteriores a la 3.3.3, atacantes remotos pueden obtener información sensible (tokens de reestablecimiento de contraseña) leyendo un registro Referer, ya que account/lost_password no emplea una redirección. Multiple vulnerabilities were discov... • https://www.debian.org/security/2018/dsa-4191 • CWE-532: Insertion of Sensitive Information into Log File •