CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2023-47258 – Debian Security Advisory 5699-1
https://notcve.org/view.php?id=CVE-2023-47258
05 Nov 2023 — Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS in a Markdown formatter. Redmine anterior a 4.2.11 y 5.0.x anterior a 5.0.6 permite XSS en un formateador Markdown. Multiple cross-site scripting vulnerabilities were found in Redmine, a project management web application. • https://www.redmine.org/projects/redmine/wiki/Security_Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2023-47259 – Debian Security Advisory 5699-1
https://notcve.org/view.php?id=CVE-2023-47259
05 Nov 2023 — Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS in the Textile formatter. Redmine anterior a 4.2.11 y 5.0.x anterior a 5.0.6 permite XSS en el formateador textil. Multiple cross-site scripting vulnerabilities were found in Redmine, a project management web application. • https://www.redmine.org/projects/redmine/wiki/Security_Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2023-47260 – Debian Security Advisory 5699-1
https://notcve.org/view.php?id=CVE-2023-47260
05 Nov 2023 — Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS via thumbnails. Redmine anterior a 4.2.11 y 5.0.x anterior a 5.0.6 permite XSS mediante miniaturas. Multiple cross-site scripting vulnerabilities were found in Redmine, a project management web application. • https://www.redmine.org/projects/redmine/wiki/Security_Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2022-44637
https://notcve.org/view.php?id=CVE-2022-44637
12 Dec 2022 — Redmine before 4.2.9 and 5.0.x before 5.0.4 allows persistent XSS in its Textile formatter due to improper sanitization in Redcloth3 Textile-formatted fields. Depending on the configuration, this may require login as a registered user. Redmine anterior a 4.2.9 y 5.0.x anterior a 5.0.4 permite XSS persistente en su formateador Textil debido a una sanitización inadecuada en los campos formateados en Redcloth3 Textile. Dependiendo de la configuración, esto podría requerir iniciar sesión como usuario registrado... • https://www.redmine.org/projects/redmine/wiki/Security_Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2022-44031
https://notcve.org/view.php?id=CVE-2022-44031
12 Dec 2022 — Redmine before 4.2.9 and 5.0.x before 5.0.4 allows persistent XSS in its Textile formatter due to improper sanitization of the blockquote syntax in Textile-formatted fields. Redmine anterior a 4.2.9 y 5.0.x anterior a 5.0.4 permite XSS persistente en su formateador Textil debido a una sanitización inadecuada de la sintaxis de citas en bloque en campos con formato Textil. • https://www.redmine.org/projects/redmine/wiki/Security_Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-44030
https://notcve.org/view.php?id=CVE-2022-44030
06 Dec 2022 — Redmine 5.x before 5.0.4 allows downloading of file attachments of any Issue or any Wiki page due to insufficient permission checks. Depending on the configuration, this may require login as a registered user. Redmine 5.x anterior a 5.0.4 permite la descarga de archivos adjuntos de cualquier problema o página Wiki debido a comprobaciones de permisos insuficientes. Dependiendo de la configuración, esto puede requerir iniciar sesión como usuario registrado. • https://www.redmine.org/news/139 • CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2021-42326
https://notcve.org/view.php?id=CVE-2021-42326
12 Oct 2021 — Redmine before 4.1.5 and 4.2.x before 4.2.3 may disclose the names of users on activity views due to an insufficient access filter. Redmine versiones anteriores a 4.1.5 y versiones 4.2.x anteriores a 4.2.3, pueden revelar los nombres de usuarios en las vistas de actividad debido a un filtro de acceso insuficiente • https://lists.debian.org/debian-lts-announce/2021/10/msg00013.html •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-37156
https://notcve.org/view.php?id=CVE-2021-37156
05 Aug 2021 — Redmine 4.2.0 and 4.2.1 allow existing user sessions to continue upon enabling two-factor authentication for the user's account, but the intended behavior is for those sessions to be terminated. Redmine versiones 4.2.0 y 4.2.1, permiten a las sesiones de usuario existentes continuar al habilitar la autenticación de dos factores para la cuenta del usuario, pero el comportamiento previsto es que esas sesiones se terminen • https://www.redmine.org/news/132 • CWE-613: Insufficient Session Expiration •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-31863
https://notcve.org/view.php?id=CVE-2021-31863
28 Apr 2021 — Insufficient input validation in the Git repository integration of Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows Redmine users to read arbitrary local files accessible by the application server process. Una comprobación insuficiente de entrada en la integración del repositorio Git de Redmine versiones anteriores a 4.0.9, versiones 4.1.x anteriores a 4.1.3 y versiones 4.2.x anteriores a 4.2.1, permite a usuarios de Redmine leer archivos locales arbitrarios accesibles por el proceso ... • https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2021-31864
https://notcve.org/view.php?id=CVE-2021-31864
28 Apr 2021 — Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows attackers to bypass the add_issue_notes permission requirement by leveraging the incoming mail handler. Redmine versiones anteriores a 4.0.9, versiones 4.1.x anteriores a 4.1.3 y versiones 4.2.x anteriores a 4.2.1, permite a atacantes omitir el requisito de permiso de la función add_issue_notes al aprovechar el controlador de correo entrante • https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html •