CVSS: 6.1EPSS: 0%CPEs: 10EXPL: 0CVE-2017-15570
https://notcve.org/view.php?id=CVE-2017-15570
In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/views/timelog/_list.html.erb via crafted column data. En Redmine en versiones anteriores a la 3.2.8, 3.3.x en versiones anteriores a la 3.3.5 y 3.4.x en versiones anteriores a la 3.4.3, existe XSS en app/views/timelog/_list.html.erb mediante datos de columna manipulados. • https://github.com/redmine/redmine/commit/1a0976417975a128b0a932ba1552c37e9414953b https://www.debian.org/security/2018/dsa-4191 https://www.redmine.org/issues/27186 https://www.redmine.org/projects/redmine/wiki/Security_Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2017-15573
https://notcve.org/view.php?id=CVE-2017-15573
In Redmine before 3.2.6 and 3.3.x before 3.3.3, XSS exists because markup is mishandled in wiki content. En Redmine en versiones anteriores a la 3.2.6 y 3.3.x en versiones anteriores a la 3.3.3, existe XSS porque se gestiona de manera incorrecta la revisión en el contenido de la wiki. • https://www.debian.org/security/2018/dsa-4191 https://www.redmine.org/issues/25503 https://www.redmine.org/projects/redmine/wiki/Security_Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2015-8477
https://notcve.org/view.php?id=CVE-2015-8477
Cross-site scripting (XSS) vulnerability in Redmine before 2.6.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving flash message rendering. Vulnerabilidad de tipo Cross-site scripting (XSS) en Redmine versiones anteriores a la 2.6.2, que permitiría a atacantes remotos inyectar secuencias de comando web arbitrarias o HTML a través de vectores que involucren el renderizado de mensajes flash. • http://www.openwall.com/lists/oss-security/2015/12/05/7 http://www.openwall.com/lists/oss-security/2015/12/05/8 http://www.redmine.org/projects/redmine/wiki/Security_Advisories https://www.redmine.org/issues/19117 https://www.redmine.org/projects/redmine/repository/entry/tags/2.6.2/doc/CHANGELOG • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 10EXPL: 0CVE-2015-8473
https://notcve.org/view.php?id=CVE-2015-8473
The Issues API in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1.2 allows remote authenticated users to obtain sensitive information in changeset messages by leveraging permission to read issues with related changesets from other projects. La API Issues en Redmine en versiones anteriores a 2.6.8, 3.0.x en versiones anteriores a 3.0.6 y 3.1.x en versiones anteriores a 3.1.2 permite a usuarios remotos autenticados obtener información sensible de mensajes changeset aprovechando el permiso para leer problemas en relación con changesets de otros proyectos. • http://www.debian.org/security/2016/dsa-3529 http://www.securityfocus.com/bid/78621 https://github.com/redmine/redmine/commit/8d8f612fa368a72c56b63f7ce6b7e98cab9feb22 https://www.redmine.org/issues/21136 https://www.redmine.org/projects/redmine/wiki/Changelog_3_0 https://www.redmine.org/projects/redmine/wiki/Changelog_3_1 https://www.redmine.org/versions/105 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.4EPSS: 0%CPEs: 10EXPL: 0CVE-2015-8474
https://notcve.org/view.php?id=CVE-2015-8474
Open redirect vulnerability in the valid_back_url function in app/controllers/application_controller.rb in Redmine before 2.6.7, 3.0.x before 3.0.5, and 3.1.x before 3.1.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a crafted back_url parameter, as demonstrated by "@attacker.com," a different vulnerability than CVE-2014-1985. Vulnerabilidad de redirección abierta en la función valid_back_url en app/controllers/application_controller.rb en Redmine en versiones anteriores a 2.6.7, 3.0.x en versiones anteriores a 3.0.5 y 3.1.x en versiones anteriores a 3.1.1 permite a atacantes remotos redirigir a usuarios a sitios web arbitrarios y llevar a cabo ataques de phishing a través de un parámetro back_url manipulado, según lo demostrado por "@attacker.com", una vulnerabilidad diferente a CVE-2014-1985. • http://www.debian.org/security/2016/dsa-3529 http://www.redmine.org/news/101 http://www.securityfocus.com/bid/78625 https://github.com/redmine/redmine/commit/032f2c9be6520d9d1a1608aa4f1d5d1f184f2472 https://www.redmine.org/issues/19577 •