CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2017-15573
https://notcve.org/view.php?id=CVE-2017-15573
In Redmine before 3.2.6 and 3.3.x before 3.3.3, XSS exists because markup is mishandled in wiki content. En Redmine en versiones anteriores a la 3.2.6 y 3.3.x en versiones anteriores a la 3.3.3, existe XSS porque se gestiona de manera incorrecta la revisión en el contenido de la wiki. • https://www.debian.org/security/2018/dsa-4191 https://www.redmine.org/issues/25503 https://www.redmine.org/projects/redmine/wiki/Security_Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2015-8477
https://notcve.org/view.php?id=CVE-2015-8477
Cross-site scripting (XSS) vulnerability in Redmine before 2.6.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving flash message rendering. Vulnerabilidad de tipo Cross-site scripting (XSS) en Redmine versiones anteriores a la 2.6.2, que permitiría a atacantes remotos inyectar secuencias de comando web arbitrarias o HTML a través de vectores que involucren el renderizado de mensajes flash. • http://www.openwall.com/lists/oss-security/2015/12/05/7 http://www.openwall.com/lists/oss-security/2015/12/05/8 http://www.redmine.org/projects/redmine/wiki/Security_Advisories https://www.redmine.org/issues/19117 https://www.redmine.org/projects/redmine/repository/entry/tags/2.6.2/doc/CHANGELOG • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 10EXPL: 0CVE-2015-8473
https://notcve.org/view.php?id=CVE-2015-8473
The Issues API in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1.2 allows remote authenticated users to obtain sensitive information in changeset messages by leveraging permission to read issues with related changesets from other projects. La API Issues en Redmine en versiones anteriores a 2.6.8, 3.0.x en versiones anteriores a 3.0.6 y 3.1.x en versiones anteriores a 3.1.2 permite a usuarios remotos autenticados obtener información sensible de mensajes changeset aprovechando el permiso para leer problemas en relación con changesets de otros proyectos. • http://www.debian.org/security/2016/dsa-3529 http://www.securityfocus.com/bid/78621 https://github.com/redmine/redmine/commit/8d8f612fa368a72c56b63f7ce6b7e98cab9feb22 https://www.redmine.org/issues/21136 https://www.redmine.org/projects/redmine/wiki/Changelog_3_0 https://www.redmine.org/projects/redmine/wiki/Changelog_3_1 https://www.redmine.org/versions/105 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.4EPSS: 0%CPEs: 10EXPL: 0CVE-2015-8474
https://notcve.org/view.php?id=CVE-2015-8474
Open redirect vulnerability in the valid_back_url function in app/controllers/application_controller.rb in Redmine before 2.6.7, 3.0.x before 3.0.5, and 3.1.x before 3.1.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a crafted back_url parameter, as demonstrated by "@attacker.com," a different vulnerability than CVE-2014-1985. Vulnerabilidad de redirección abierta en la función valid_back_url en app/controllers/application_controller.rb en Redmine en versiones anteriores a 2.6.7, 3.0.x en versiones anteriores a 3.0.5 y 3.1.x en versiones anteriores a 3.1.1 permite a atacantes remotos redirigir a usuarios a sitios web arbitrarios y llevar a cabo ataques de phishing a través de un parámetro back_url manipulado, según lo demostrado por "@attacker.com", una vulnerabilidad diferente a CVE-2014-1985. • http://www.debian.org/security/2016/dsa-3529 http://www.redmine.org/news/101 http://www.securityfocus.com/bid/78625 https://github.com/redmine/redmine/commit/032f2c9be6520d9d1a1608aa4f1d5d1f184f2472 https://www.redmine.org/issues/19577 •
CVSS: 5.3EPSS: 0%CPEs: 10EXPL: 0CVE-2015-8346
https://notcve.org/view.php?id=CVE-2015-8346
app/views/timelog/_form.html.erb in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1.2 allows remote attackers to obtain sensitive information about subjects of issues by viewing the time logging form. app/views/timelog/_form.html.erb en Redmine en versiones anteriores a 2.6.8, 3.0.x en versiones anteriores a 3.0.6 y 3.1.x en versiones anteriores a 3.1.2 permite a atacantes remotos obtener información sensible sobre temas de problemas visualizando el formulario de tiempo de acceso. • http://www.debian.org/security/2016/dsa-3529 http://www.redmine.org/news/102 https://github.com/redmine/redmine/commit/c096dde88ff02872ba35edc4dc403c80a7867b5c https://www.redmine.org/issues/21150 • CWE-199: Information Management Errors •