CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2021-30164
https://notcve.org/view.php?id=CVE-2021-30164
Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by leveraging the Issues API. Redmine versiones anteriores a 4.0.8 y versiones 4.1.x anteriores a 4.1.2, permite a atacantes omitir el requisito de permiso add_issue_notes al aprovechar la API Issues • https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html https://www.redmine.org/projects/redmine/wiki/Security_Advisories •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 1CVE-2019-18890
https://notcve.org/view.php?id=CVE-2019-18890
A SQL injection vulnerability in Redmine through 3.2.9 and 3.3.x before 3.3.10 allows Redmine users to access protected information via a crafted object query. Una vulnerabilidad de inyección SQL en Redmine versiones hasta 3.2.9 y versiones 3.3.x anteriores a 3.3.10, permite a usuarios de Redmine acceder a información protegida por medio de una consulta de objeto diseñada. • https://github.com/RealLinkers/CVE-2019-18890 https://seclists.org/bugtraq/2019/Nov/31 https://security-tracker.debian.org/tracker/CVE-2019-18890 https://usn.ubuntu.com/4200-1 https://www.debian.org/security/2019/dsa-4574 https://www.redmine.org/projects/redmine/wiki/Security_Advisories • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2019-17427
https://notcve.org/view.php?id=CVE-2019-17427
In Redmine before 3.4.11 and 4.0.x before 4.0.4, persistent XSS exists due to textile formatting errors. En Redmine versiones anteriores a 3.4.11 y versiones 4.0.x anteriores a 4.0.4, se presenta una vulnerabilidad de tipo XSS persistente debido a errores de formateo textile. • https://github.com/RealLinkers/CVE-2019-17427 https://seclists.org/bugtraq/2019/Nov/31 https://usn.ubuntu.com/4200-1 https://www.debian.org/security/2019/dsa-4574 https://www.redmine.org/projects/redmine/wiki/Security_Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2017-18026
https://notcve.org/view.php?id=CVE-2017-18026
Redmine before 3.2.9, 3.3.x before 3.3.6, and 3.4.x before 3.4.4 does not block the --config and --debugger flags to the Mercurial hg program, which allows remote attackers to execute arbitrary commands (through the Mercurial adapter) via vectors involving a branch whose name begins with a --config= or --debugger= substring, a related issue to CVE-2017-17536. Redmine en versiones anteriores a la 3.2.9, 3.3.x anteriores a 3.3.6 y 3.4.x anteriores a 3.4.4 no bloquea los flags --config y --debugger en el programa Mercurial hg, lo que permite que los atacantes remotos ejecuten comandos arbitrarios (mediante el adaptador Mercurial) por medio de vectores que involucran una rama cuyo nombre empieza con una subcadena --config= o --debugger=. Esta vulnerabilidad está relacionada con CVE-2017-17536. • https://github.com/redmine/redmine/commit/58ed8655136ff2fe5ff7796859bf6a399c76c678 https://github.com/redmine/redmine/commit/9d797400eaec5f9fa7ba9507c82d9c18cb91d02e https://github.com/redmine/redmine/commit/ca87bf766cdc70179cb2dce03015d78ec9c13ebd https://www.debian.org/security/2018/dsa-4191 https://www.redmine.org/issues/27516 https://www.redmine.org/projects/redmine/wiki/Security_Advisories •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2017-16804
https://notcve.org/view.php?id=CVE-2017-16804
In Redmine before 3.2.7 and 3.3.x before 3.3.4, the reminders function in app/models/mailer.rb does not check whether an issue is visible, which allows remote authenticated users to obtain sensitive information by reading e-mail reminder messages. En Redmine en versiones anteriores a la 3.2.7 y las versiones 3.3.x anteriores a la 3.3.4, la función reminders en app/models/mailer.rb no comprueba si un problema es visible, lo que permite que usuarios remotos autenticados obtengan información sensible leyendo mensajes de recordatorio de correo electrónico. • https://github.com/redmine/redmine/commit/0f09f161f64f4190a52166675ff380a15b72a8bc https://www.debian.org/security/2018/dsa-4191 https://www.redmine.org/issues/25713 https://www.redmine.org/projects/redmine/wiki/Security_Advisories • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •