This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Redmine First view 2016-04-12
Product Redmine Last view 2021-10-12
Version 3.0.1 Type Application
Update *  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:redmine:redmine

Activity : Overall

Related : CVE

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
  Date Alert Description
5.3 2021-10-12 CVE-2021-42326

Redmine before 4.1.5 and 4.2.x before 4.2.3 may disclose the names of users on activity views due to an insufficient access filter.

5.3 2021-04-28 CVE-2021-31866

Redmine before 4.0.9 and 4.1.x before 4.1.3 allows an attacker to learn the values of internal authentication keys by observing timing differences in string comparison operations within SysController and MailHandlerController.

5.3 2021-04-28 CVE-2021-31865

Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows users to circumvent the allowed filename extensions of uploaded attachments.

5.3 2021-04-28 CVE-2021-31864

Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows attackers to bypass the add_issue_notes permission requirement by leveraging the incoming mail handler.

7.5 2021-04-28 CVE-2021-31863

Insufficient input validation in the Git repository integration of Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows Redmine users to read arbitrary local files accessible by the application server process.

9.8 2021-04-06 CVE-2021-30164

Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by leveraging the Issues API.

7.5 2021-04-06 CVE-2021-30163

Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to discover the names of private projects if issue-journal details exist that have changes to project_id values.

5.3 2021-04-06 CVE-2020-36308

Redmine before 4.0.7 and 4.1.x before 4.1.1 allows attackers to discover the subject of a non-visible issue by performing a CSV export and reading time entries.

6.1 2021-04-06 CVE-2020-36307

Redmine before 4.0.7 and 4.1.x before 4.1.1 has stored XSS via textile inline links.

6.1 2021-04-06 CVE-2020-36306

Redmine before 4.0.7 and 4.1.x before 4.1.1 has XSS via the back_url field.

5.3 2021-04-06 CVE-2019-25026

Redmine before 3.4.13 and 4.x before 4.0.6 mishandles markup data during Textile formatting.

6.1 2021-03-29 CVE-2021-29274

Redmine 4.1.x before 4.1.2 allows XSS because an issue's subject is mishandled in the auto complete tip.

6.5 2019-11-21 CVE-2019-18890

A SQL injection vulnerability in Redmine through 3.2.9 and 3.3.x before 3.3.10 allows Redmine users to access protected information via a crafted object query.

6.1 2019-10-09 CVE-2019-17427

In Redmine before 3.4.11 and 4.0.x before 4.0.4, persistent XSS exists due to textile formatting errors.

8.8 2018-01-10 CVE-2017-18026

Redmine before 3.2.9, 3.3.x before 3.3.6, and 3.4.x before 3.4.4 does not block the --config and --debugger flags to the Mercurial hg program, which allows remote attackers to execute arbitrary commands (through the Mercurial adapter) via vectors involving a branch whose name begins with a --config= or --debugger= substring, a related issue to CVE-2017-17536.

4.3 2017-11-13 CVE-2017-16804

In Redmine before 3.2.7 and 3.3.x before 3.3.4, the reminders function in app/models/mailer.rb does not check whether an issue is visible, which allows remote authenticated users to obtain sensitive information by reading e-mail reminder messages.

7.5 2017-10-17 CVE-2017-15577

Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles the rendering of wiki links, which allows remote attackers to obtain sensitive information.

7.5 2017-10-17 CVE-2017-15576

Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles Time Entry rendering in activity views, which allows remote attackers to obtain sensitive information.

7.3 2017-10-17 CVE-2017-15575

In Redmine before 3.2.6 and 3.3.x before 3.3.3, Redmine.pm lacks a check for whether the Repository module is enabled in a project's settings, which might allow remote attackers to obtain sensitive differences information or possibly have unspecified other impact.

6.1 2017-10-17 CVE-2017-15574

In Redmine before 3.2.6 and 3.3.x before 3.3.3, stored XSS is possible by using an SVG document as an attachment.

6.1 2017-10-17 CVE-2017-15573

In Redmine before 3.2.6 and 3.3.x before 3.3.3, XSS exists because markup is mishandled in wiki content.

7.5 2017-10-17 CVE-2017-15572

In Redmine before 3.2.6 and 3.3.x before 3.3.3, remote attackers can obtain sensitive information (password reset tokens) by reading a Referer log, because account/lost_password does not use a redirect.

6.1 2017-10-17 CVE-2017-15571

In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/views/issues/_list.html.erb via crafted column data.

6.1 2017-10-17 CVE-2017-15570

In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/views/timelog/_list.html.erb via crafted column data.

6.1 2017-10-17 CVE-2017-15569

In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/helpers/queries_helper.rb via a multi-value field with a crafted value that is mishandled during rendering of an issue list.

CWE : Common Weakness Enumeration

%idName
50% (11) CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
22% (5) CWE-200 Information Exposure
4% (1) CWE-532 Information Leak Through Log Files
4% (1) CWE-203 Information Exposure Through Discrepancy
4% (1) CWE-199 Information Management Errors
4% (1) CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('...
4% (1) CWE-74 Failure to Sanitize Data into a Different Plane ('Injection')
4% (1) CWE-20 Improper Input Validation

Nessus® Vulnerability Scanner

id Description
2018-05-04 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-4191.nasl - Type: ACT_GATHER_INFO
2016-03-24 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-3529.nasl - Type: ACT_GATHER_INFO
2015-12-10 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_21bc4d719ed811e58f5c002590263bf5.nasl - Type: ACT_GATHER_INFO
2015-12-10 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_3ec2e0bc9ed711e58f5c002590263bf5.nasl - Type: ACT_GATHER_INFO
2015-12-10 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_be63533c9ed711e58f5c002590263bf5.nasl - Type: ACT_GATHER_INFO
2015-11-30 Name: The remote Debian host is missing a security update.
File: debian_DLA-351.nasl - Type: ACT_GATHER_INFO