CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2017-16804
https://notcve.org/view.php?id=CVE-2017-16804
In Redmine before 3.2.7 and 3.3.x before 3.3.4, the reminders function in app/models/mailer.rb does not check whether an issue is visible, which allows remote authenticated users to obtain sensitive information by reading e-mail reminder messages. En Redmine en versiones anteriores a la 3.2.7 y las versiones 3.3.x anteriores a la 3.3.4, la función reminders en app/models/mailer.rb no comprueba si un problema es visible, lo que permite que usuarios remotos autenticados obtengan información sensible leyendo mensajes de recordatorio de correo electrónico. • https://github.com/redmine/redmine/commit/0f09f161f64f4190a52166675ff380a15b72a8bc https://www.debian.org/security/2018/dsa-4191 https://www.redmine.org/issues/25713 https://www.redmine.org/projects/redmine/wiki/Security_Advisories • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2017-15576
https://notcve.org/view.php?id=CVE-2017-15576
Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles Time Entry rendering in activity views, which allows remote attackers to obtain sensitive information. Redmine en versiones anteriores a la 3.2.6 y 3.3.x en versiones anteriores a la 3.3.3 gestiona de manera incorrecta la presentación Time Entry en vistas de actividad, lo que permite que atacantes remotos obtengan información sensible. • https://www.debian.org/security/2018/dsa-4191 https://www.redmine.org/issues/23803 https://www.redmine.org/projects/redmine/wiki/Security_Advisories • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 10EXPL: 0CVE-2017-15571
https://notcve.org/view.php?id=CVE-2017-15571
In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/views/issues/_list.html.erb via crafted column data. En Redmine en versiones anteriores a la 3.2.8, 3.3.x en versiones anteriores a la 3.3.5 y 3.4.x en versiones anteriores a la 3.4.3, existe XSS en app/views/issues/_list.html.erb mediante datos de columna manipulados. • https://github.com/redmine/redmine/commit/273dd9cb3bcfb1e0a0b90570b3b34eafa07d67aa https://www.debian.org/security/2018/dsa-4191 https://www.redmine.org/issues/27186 https://www.redmine.org/projects/redmine/wiki/Security_Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2017-15575
https://notcve.org/view.php?id=CVE-2017-15575
In Redmine before 3.2.6 and 3.3.x before 3.3.3, Redmine.pm lacks a check for whether the Repository module is enabled in a project's settings, which might allow remote attackers to obtain sensitive differences information or possibly have unspecified other impact. En Redmine en versiones anteriores a la 3.2.6 y 3.3.x en versiones anteriores a la 3.3.3, Redmine.pm no tiene verificación para cuando el módulo Repository está habilitado en la configuración de un proyecto, lo que podría permitir que atacantes remotos obtengan diferente información sensible o provoquen otro impacto sin especificar. • https://www.debian.org/security/2018/dsa-4191 https://www.redmine.org/issues/24307 https://www.redmine.org/projects/redmine/wiki/Security_Advisories •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2017-15572
https://notcve.org/view.php?id=CVE-2017-15572
In Redmine before 3.2.6 and 3.3.x before 3.3.3, remote attackers can obtain sensitive information (password reset tokens) by reading a Referer log, because account/lost_password does not use a redirect. En Redmine en versiones anteriores a la 3.2.6 y 3.3.x en versiones anteriores a la 3.3.3, atacantes remotos pueden obtener información sensible (tokens de reestablecimiento de contraseña) leyendo un registro Referer, ya que account/lost_password no emplea una redirección. • https://www.debian.org/security/2018/dsa-4191 https://www.redmine.org/issues/24416 https://www.redmine.org/projects/redmine/wiki/Security_Advisories • CWE-532: Insertion of Sensitive Information into Log File •