CVSS: 7.4EPSS: 0%CPEs: 10EXPL: 0CVE-2015-8474
https://notcve.org/view.php?id=CVE-2015-8474
Open redirect vulnerability in the valid_back_url function in app/controllers/application_controller.rb in Redmine before 2.6.7, 3.0.x before 3.0.5, and 3.1.x before 3.1.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a crafted back_url parameter, as demonstrated by "@attacker.com," a different vulnerability than CVE-2014-1985. Vulnerabilidad de redirección abierta en la función valid_back_url en app/controllers/application_controller.rb en Redmine en versiones anteriores a 2.6.7, 3.0.x en versiones anteriores a 3.0.5 y 3.1.x en versiones anteriores a 3.1.1 permite a atacantes remotos redirigir a usuarios a sitios web arbitrarios y llevar a cabo ataques de phishing a través de un parámetro back_url manipulado, según lo demostrado por "@attacker.com", una vulnerabilidad diferente a CVE-2014-1985. • http://www.debian.org/security/2016/dsa-3529 http://www.redmine.org/news/101 http://www.securityfocus.com/bid/78625 https://github.com/redmine/redmine/commit/032f2c9be6520d9d1a1608aa4f1d5d1f184f2472 https://www.redmine.org/issues/19577 •
CVSS: 5.3EPSS: 0%CPEs: 10EXPL: 0CVE-2015-8346
https://notcve.org/view.php?id=CVE-2015-8346
app/views/timelog/_form.html.erb in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1.2 allows remote attackers to obtain sensitive information about subjects of issues by viewing the time logging form. app/views/timelog/_form.html.erb en Redmine en versiones anteriores a 2.6.8, 3.0.x en versiones anteriores a 3.0.6 y 3.1.x en versiones anteriores a 3.1.2 permite a atacantes remotos obtener información sensible sobre temas de problemas visualizando el formulario de tiempo de acceso. • http://www.debian.org/security/2016/dsa-3529 http://www.redmine.org/news/102 https://github.com/redmine/redmine/commit/c096dde88ff02872ba35edc4dc403c80a7867b5c https://www.redmine.org/issues/21150 • CWE-199: Information Management Errors •
CVSS: 5.3EPSS: 0%CPEs: 12EXPL: 0CVE-2015-8537
https://notcve.org/view.php?id=CVE-2015-8537
app/views/journals/index.builder in Redmine before 2.6.9, 3.0.x before 3.0.7, and 3.1.x before 3.1.3 allows remote attackers to obtain sensitive information by viewing an Atom feed. app/views/journals/index.builder en Redmine en versiones anteriores a 2.6.9, 3.0.x en versiones anteriores a 3.0.7 y 3.1.x en versiones anteriores a 3.1.3 permite a atacantes remotos obtener información sensible visualizando un feed Atom. • http://www.debian.org/security/2016/dsa-3529 http://www.redmine.org/news/103 https://github.com/redmine/redmine/commit/7e423fb4538247d59e01958c48b491f196a1de56 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.8EPSS: 0%CPEs: 6EXPL: 1CVE-2014-1985
https://notcve.org/view.php?id=CVE-2014-1985
Open redirect vulnerability in the redirect_back_or_default function in app/controllers/application_controller.rb in Redmine before 2.4.5 and 2.5.x before 2.5.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the back url (back_url parameter). Vulnerabilidad de redirección abierta en la función redirect_back_or_default en app/controllers/application_controller.rb en Redmine anterior a 2.4.5 y 2.5.x anterior a 2.5.1 permite a atacantes remotos redirigir usuarios hacia sitios web arbitrarios y realizar ataques de phishing a través de una URL en la url back (parámetro back_url). • http://jvn.jp/en/jp/JVN93004610/index.html http://jvndb.jvn.jp/ja/contents/2014/JVNDB-2014-000041.html http://seclists.org/oss-sec/2014/q2/84 http://secunia.com/advisories/57524 http://www.redmine.org/projects/redmine/wiki/Changelog http://www.redmine.org/projects/redmine/wiki/Changelog_2_4 http://www.redmine.org/projects/redmine/wiki/Security_Advisories http://www.securityfocus.com/bid/66674 https://github.com/redmine/redmine/commit/7567c3d8b21fe67e5f04e6839c1fce061600f2f3 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 41EXPL: 0CVE-2011-4928
https://notcve.org/view.php?id=CVE-2011-4928
Cross-site scripting (XSS) vulnerability in the textile formatter in Redmine before 1.0.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en el formateador texttile en Redmine anterior a v1.0.5 permite a atacantes remotos inyectar secuencias de comandos web o HTML mediante vectores desconocidos. • http://www.debian.org/security/2011/dsa-2261 http://www.openwall.com/lists/oss-security/2012/01/06/5 http://www.openwall.com/lists/oss-security/2012/01/06/7 http://www.redmine.org/news/49 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •