CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2019-17427
https://notcve.org/view.php?id=CVE-2019-17427
In Redmine before 3.4.11 and 4.0.x before 4.0.4, persistent XSS exists due to textile formatting errors. En Redmine versiones anteriores a 3.4.11 y versiones 4.0.x anteriores a 4.0.4, se presenta una vulnerabilidad de tipo XSS persistente debido a errores de formateo textile. • https://github.com/RealLinkers/CVE-2019-17427 https://seclists.org/bugtraq/2019/Nov/31 https://usn.ubuntu.com/4200-1 https://www.debian.org/security/2019/dsa-4574 https://www.redmine.org/projects/redmine/wiki/Security_Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2017-18026
https://notcve.org/view.php?id=CVE-2017-18026
Redmine before 3.2.9, 3.3.x before 3.3.6, and 3.4.x before 3.4.4 does not block the --config and --debugger flags to the Mercurial hg program, which allows remote attackers to execute arbitrary commands (through the Mercurial adapter) via vectors involving a branch whose name begins with a --config= or --debugger= substring, a related issue to CVE-2017-17536. Redmine en versiones anteriores a la 3.2.9, 3.3.x anteriores a 3.3.6 y 3.4.x anteriores a 3.4.4 no bloquea los flags --config y --debugger en el programa Mercurial hg, lo que permite que los atacantes remotos ejecuten comandos arbitrarios (mediante el adaptador Mercurial) por medio de vectores que involucran una rama cuyo nombre empieza con una subcadena --config= o --debugger=. Esta vulnerabilidad está relacionada con CVE-2017-17536. • https://github.com/redmine/redmine/commit/58ed8655136ff2fe5ff7796859bf6a399c76c678 https://github.com/redmine/redmine/commit/9d797400eaec5f9fa7ba9507c82d9c18cb91d02e https://github.com/redmine/redmine/commit/ca87bf766cdc70179cb2dce03015d78ec9c13ebd https://www.debian.org/security/2018/dsa-4191 https://www.redmine.org/issues/27516 https://www.redmine.org/projects/redmine/wiki/Security_Advisories •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2017-16804
https://notcve.org/view.php?id=CVE-2017-16804
In Redmine before 3.2.7 and 3.3.x before 3.3.4, the reminders function in app/models/mailer.rb does not check whether an issue is visible, which allows remote authenticated users to obtain sensitive information by reading e-mail reminder messages. En Redmine en versiones anteriores a la 3.2.7 y las versiones 3.3.x anteriores a la 3.3.4, la función reminders en app/models/mailer.rb no comprueba si un problema es visible, lo que permite que usuarios remotos autenticados obtengan información sensible leyendo mensajes de recordatorio de correo electrónico. • https://github.com/redmine/redmine/commit/0f09f161f64f4190a52166675ff380a15b72a8bc https://www.debian.org/security/2018/dsa-4191 https://www.redmine.org/issues/25713 https://www.redmine.org/projects/redmine/wiki/Security_Advisories • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2017-15576
https://notcve.org/view.php?id=CVE-2017-15576
Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles Time Entry rendering in activity views, which allows remote attackers to obtain sensitive information. Redmine en versiones anteriores a la 3.2.6 y 3.3.x en versiones anteriores a la 3.3.3 gestiona de manera incorrecta la presentación Time Entry en vistas de actividad, lo que permite que atacantes remotos obtengan información sensible. • https://www.debian.org/security/2018/dsa-4191 https://www.redmine.org/issues/23803 https://www.redmine.org/projects/redmine/wiki/Security_Advisories • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 10EXPL: 0CVE-2017-15571
https://notcve.org/view.php?id=CVE-2017-15571
In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/views/issues/_list.html.erb via crafted column data. En Redmine en versiones anteriores a la 3.2.8, 3.3.x en versiones anteriores a la 3.3.5 y 3.4.x en versiones anteriores a la 3.4.3, existe XSS en app/views/issues/_list.html.erb mediante datos de columna manipulados. • https://github.com/redmine/redmine/commit/273dd9cb3bcfb1e0a0b90570b3b34eafa07d67aa https://www.debian.org/security/2018/dsa-4191 https://www.redmine.org/issues/27186 https://www.redmine.org/projects/redmine/wiki/Security_Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •