Filtered by vendor Redmine Subscriptions
Total 51 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2019-17427 1 Redmine 1 Redmine 2024-11-21 6.1 Medium
In Redmine before 3.4.11 and 4.0.x before 4.0.4, persistent XSS exists due to textile formatting errors.
CVE-2017-18026 2 Debian, Redmine 2 Debian Linux, Redmine 2024-11-21 N/A
Redmine before 3.2.9, 3.3.x before 3.3.6, and 3.4.x before 3.4.4 does not block the --config and --debugger flags to the Mercurial hg program, which allows remote attackers to execute arbitrary commands (through the Mercurial adapter) via vectors involving a branch whose name begins with a --config= or --debugger= substring, a related issue to CVE-2017-17536.
CVE-2017-16804 2 Debian, Redmine 2 Debian Linux, Redmine 2024-11-21 N/A
In Redmine before 3.2.7 and 3.3.x before 3.3.4, the reminders function in app/models/mailer.rb does not check whether an issue is visible, which allows remote authenticated users to obtain sensitive information by reading e-mail reminder messages.
CVE-2017-15577 2 Debian, Redmine 2 Debian Linux, Redmine 2024-11-21 N/A
Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles the rendering of wiki links, which allows remote attackers to obtain sensitive information.
CVE-2017-15576 2 Debian, Redmine 2 Debian Linux, Redmine 2024-11-21 N/A
Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles Time Entry rendering in activity views, which allows remote attackers to obtain sensitive information.
CVE-2017-15575 2 Debian, Redmine 2 Debian Linux, Redmine 2024-11-21 N/A
In Redmine before 3.2.6 and 3.3.x before 3.3.3, Redmine.pm lacks a check for whether the Repository module is enabled in a project's settings, which might allow remote attackers to obtain sensitive differences information or possibly have unspecified other impact.
CVE-2017-15574 2 Debian, Redmine 2 Debian Linux, Redmine 2024-11-21 N/A
In Redmine before 3.2.6 and 3.3.x before 3.3.3, stored XSS is possible by using an SVG document as an attachment.
CVE-2017-15573 2 Debian, Redmine 2 Debian Linux, Redmine 2024-11-21 N/A
In Redmine before 3.2.6 and 3.3.x before 3.3.3, XSS exists because markup is mishandled in wiki content.
CVE-2017-15572 2 Debian, Redmine 2 Debian Linux, Redmine 2024-11-21 N/A
In Redmine before 3.2.6 and 3.3.x before 3.3.3, remote attackers can obtain sensitive information (password reset tokens) by reading a Referer log, because account/lost_password does not use a redirect.
CVE-2017-15571 2 Debian, Redmine 2 Debian Linux, Redmine 2024-11-21 N/A
In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/views/issues/_list.html.erb via crafted column data.
CVE-2017-15570 2 Debian, Redmine 2 Debian Linux, Redmine 2024-11-21 N/A
In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/views/timelog/_list.html.erb via crafted column data.
CVE-2017-15569 2 Debian, Redmine 2 Debian Linux, Redmine 2024-11-21 N/A
In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/helpers/queries_helper.rb via a multi-value field with a crafted value that is mishandled during rendering of an issue list.
CVE-2017-15568 2 Debian, Redmine 2 Debian Linux, Redmine 2024-11-21 N/A
In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/helpers/application_helper.rb via a multi-value field with a crafted value that is mishandled during rendering of issue history.
CVE-2016-10515 1 Redmine 1 Redmine 2024-11-21 N/A
In Redmine before 3.2.3, there are stored XSS vulnerabilities affecting Textile and Markdown text formatting, and project homepages.
CVE-2015-8537 2 Debian, Redmine 2 Debian Linux, Redmine 2024-11-21 N/A
app/views/journals/index.builder in Redmine before 2.6.9, 3.0.x before 3.0.7, and 3.1.x before 3.1.3 allows remote attackers to obtain sensitive information by viewing an Atom feed.
CVE-2015-8477 1 Redmine 1 Redmine 2024-11-21 N/A
Cross-site scripting (XSS) vulnerability in Redmine before 2.6.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving flash message rendering.
CVE-2015-8474 2 Debian, Redmine 2 Debian Linux, Redmine 2024-11-21 N/A
Open redirect vulnerability in the valid_back_url function in app/controllers/application_controller.rb in Redmine before 2.6.7, 3.0.x before 3.0.5, and 3.1.x before 3.1.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a crafted back_url parameter, as demonstrated by "@attacker.com," a different vulnerability than CVE-2014-1985.
CVE-2015-8473 2 Debian, Redmine 2 Debian Linux, Redmine 2024-11-21 N/A
The Issues API in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1.2 allows remote authenticated users to obtain sensitive information in changeset messages by leveraging permission to read issues with related changesets from other projects.
CVE-2015-8346 2 Debian, Redmine 2 Debian Linux, Redmine 2024-11-21 N/A
app/views/timelog/_form.html.erb in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1.2 allows remote attackers to obtain sensitive information about subjects of issues by viewing the time logging form.
CVE-2014-1985 1 Redmine 1 Redmine 2024-11-21 N/A
Open redirect vulnerability in the redirect_back_or_default function in app/controllers/application_controller.rb in Redmine before 2.4.5 and 2.5.x before 2.5.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the back url (back_url parameter).