CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2021-30164
https://notcve.org/view.php?id=CVE-2021-30164
Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by leveraging the Issues API. Redmine versiones anteriores a 4.0.8 y versiones 4.1.x anteriores a 4.1.2, permite a atacantes omitir el requisito de permiso add_issue_notes al aprovechar la API Issues • https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html https://www.redmine.org/projects/redmine/wiki/Security_Advisories •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-29274
https://notcve.org/view.php?id=CVE-2021-29274
Redmine 4.1.x before 4.1.2 allows XSS because an issue's subject is mishandled in the auto complete tip. Redmine versiones 4.1.x anteriores a 4.1.2, permite un ataque de tipo XSS porque el tema de un problema es manejado inapropiadamente en la sugerencia de autocompletar • https://www.redmine.org/issues/33846 https://www.redmine.org/projects/redmine/wiki/Security_Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 1CVE-2019-18890
https://notcve.org/view.php?id=CVE-2019-18890
A SQL injection vulnerability in Redmine through 3.2.9 and 3.3.x before 3.3.10 allows Redmine users to access protected information via a crafted object query. Una vulnerabilidad de inyección SQL en Redmine versiones hasta 3.2.9 y versiones 3.3.x anteriores a 3.3.10, permite a usuarios de Redmine acceder a información protegida por medio de una consulta de objeto diseñada. • https://github.com/RealLinkers/CVE-2019-18890 https://seclists.org/bugtraq/2019/Nov/31 https://security-tracker.debian.org/tracker/CVE-2019-18890 https://usn.ubuntu.com/4200-1 https://www.debian.org/security/2019/dsa-4574 https://www.redmine.org/projects/redmine/wiki/Security_Advisories • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2019-17427
https://notcve.org/view.php?id=CVE-2019-17427
In Redmine before 3.4.11 and 4.0.x before 4.0.4, persistent XSS exists due to textile formatting errors. En Redmine versiones anteriores a 3.4.11 y versiones 4.0.x anteriores a 4.0.4, se presenta una vulnerabilidad de tipo XSS persistente debido a errores de formateo textile. • https://github.com/RealLinkers/CVE-2019-17427 https://seclists.org/bugtraq/2019/Nov/31 https://usn.ubuntu.com/4200-1 https://www.debian.org/security/2019/dsa-4574 https://www.redmine.org/projects/redmine/wiki/Security_Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2017-18026
https://notcve.org/view.php?id=CVE-2017-18026
Redmine before 3.2.9, 3.3.x before 3.3.6, and 3.4.x before 3.4.4 does not block the --config and --debugger flags to the Mercurial hg program, which allows remote attackers to execute arbitrary commands (through the Mercurial adapter) via vectors involving a branch whose name begins with a --config= or --debugger= substring, a related issue to CVE-2017-17536. Redmine en versiones anteriores a la 3.2.9, 3.3.x anteriores a 3.3.6 y 3.4.x anteriores a 3.4.4 no bloquea los flags --config y --debugger en el programa Mercurial hg, lo que permite que los atacantes remotos ejecuten comandos arbitrarios (mediante el adaptador Mercurial) por medio de vectores que involucran una rama cuyo nombre empieza con una subcadena --config= o --debugger=. Esta vulnerabilidad está relacionada con CVE-2017-17536. • https://github.com/redmine/redmine/commit/58ed8655136ff2fe5ff7796859bf6a399c76c678 https://github.com/redmine/redmine/commit/9d797400eaec5f9fa7ba9507c82d9c18cb91d02e https://github.com/redmine/redmine/commit/ca87bf766cdc70179cb2dce03015d78ec9c13ebd https://www.debian.org/security/2018/dsa-4191 https://www.redmine.org/issues/27516 https://www.redmine.org/projects/redmine/wiki/Security_Advisories •