This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Redmine First view 2014-04-11
Product Redmine Last view 2019-11-21
Version 2.2.0 Type Application
Update *  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:redmine:redmine

Activity : Overall

Related : CVE

  Date Alert Description
6.5 2019-11-21 CVE-2019-18890

A SQL injection vulnerability in Redmine through 3.2.9 and 3.3.x before 3.3.10 allows Redmine users to access protected information via a crafted object query.

6.1 2019-10-09 CVE-2019-17427

In Redmine before 3.4.11 and 4.0.x before 4.0.4, persistent XSS exists due to textile formatting errors.

8.8 2018-01-10 CVE-2017-18026

Redmine before 3.2.9, 3.3.x before 3.3.6, and 3.4.x before 3.4.4 does not block the --config and --debugger flags to the Mercurial hg program, which allows remote attackers to execute arbitrary commands (through the Mercurial adapter) via vectors involving a branch whose name begins with a --config= or --debugger= substring, a related issue to CVE-2017-17536.

4.3 2017-11-13 CVE-2017-16804

In Redmine before 3.2.7 and 3.3.x before 3.3.4, the reminders function in app/models/mailer.rb does not check whether an issue is visible, which allows remote authenticated users to obtain sensitive information by reading e-mail reminder messages.

7.5 2017-10-17 CVE-2017-15577

Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles the rendering of wiki links, which allows remote attackers to obtain sensitive information.

7.5 2017-10-17 CVE-2017-15576

Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles Time Entry rendering in activity views, which allows remote attackers to obtain sensitive information.

7.3 2017-10-17 CVE-2017-15575

In Redmine before 3.2.6 and 3.3.x before 3.3.3, Redmine.pm lacks a check for whether the Repository module is enabled in a project's settings, which might allow remote attackers to obtain sensitive differences information or possibly have unspecified other impact.

6.1 2017-10-17 CVE-2017-15574

In Redmine before 3.2.6 and 3.3.x before 3.3.3, stored XSS is possible by using an SVG document as an attachment.

6.1 2017-10-17 CVE-2017-15573

In Redmine before 3.2.6 and 3.3.x before 3.3.3, XSS exists because markup is mishandled in wiki content.

7.5 2017-10-17 CVE-2017-15572

In Redmine before 3.2.6 and 3.3.x before 3.3.3, remote attackers can obtain sensitive information (password reset tokens) by reading a Referer log, because account/lost_password does not use a redirect.

6.1 2017-10-17 CVE-2017-15571

In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/views/issues/_list.html.erb via crafted column data.

6.1 2017-10-17 CVE-2017-15570

In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/views/timelog/_list.html.erb via crafted column data.

6.1 2017-10-17 CVE-2017-15569

In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/helpers/queries_helper.rb via a multi-value field with a crafted value that is mishandled during rendering of an issue list.

6.1 2017-10-17 CVE-2017-15568

In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/helpers/application_helper.rb via a multi-value field with a crafted value that is mishandled during rendering of issue history.

6.1 2017-10-17 CVE-2016-10515

In Redmine before 3.2.3, there are stored XSS vulnerabilities affecting Textile and Markdown text formatting, and project homepages.

6.1 2017-05-23 CVE-2015-8477

Cross-site scripting (XSS) vulnerability in Redmine before 2.6.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving flash message rendering.

5.3 2016-04-12 CVE-2015-8537

app/views/journals/index.builder in Redmine before 2.6.9, 3.0.x before 3.0.7, and 3.1.x before 3.1.3 allows remote attackers to obtain sensitive information by viewing an Atom feed.

7.4 2016-04-12 CVE-2015-8474

Open redirect vulnerability in the valid_back_url function in app/controllers/application_controller.rb in Redmine before 2.6.7, 3.0.x before 3.0.5, and 3.1.x before 3.1.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a crafted back_url parameter, as demonstrated by "@attacker.com," a different vulnerability than CVE-2014-1985.

4.3 2016-04-12 CVE-2015-8473

The Issues API in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1.2 allows remote authenticated users to obtain sensitive information in changeset messages by leveraging permission to read issues with related changesets from other projects.

5.3 2016-04-12 CVE-2015-8346

app/views/timelog/_form.html.erb in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1.2 allows remote attackers to obtain sensitive information about subjects of issues by viewing the time logging form.

5.8 2014-04-11 CVE-2014-1985

Open redirect vulnerability in the redirect_back_or_default function in app/controllers/application_controller.rb in Redmine before 2.4.5 and 2.5.x before 2.5.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the back url (back_url parameter).

CWE : Common Weakness Enumeration

%idName
50% (9) CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
27% (5) CWE-200 Information Exposure
5% (1) CWE-532 Information Leak Through Log Files
5% (1) CWE-199 Information Management Errors
5% (1) CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('...
5% (1) CWE-20 Improper Input Validation

Nessus® Vulnerability Scanner

id Description
2018-05-04 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-4191.nasl - Type: ACT_GATHER_INFO
2016-03-24 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-3529.nasl - Type: ACT_GATHER_INFO
2015-12-10 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_21bc4d719ed811e58f5c002590263bf5.nasl - Type: ACT_GATHER_INFO
2015-12-10 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_3ec2e0bc9ed711e58f5c002590263bf5.nasl - Type: ACT_GATHER_INFO
2015-12-10 Name: The remote FreeBSD host is missing a security-related update.
File: freebsd_pkg_939a70869ed611e58f5c002590263bf5.nasl - Type: ACT_GATHER_INFO
2015-12-10 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_be63533c9ed711e58f5c002590263bf5.nasl - Type: ACT_GATHER_INFO
2015-12-10 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_c2efcd469ed511e58f5c002590263bf5.nasl - Type: ACT_GATHER_INFO
2015-11-30 Name: The remote Debian host is missing a security update.
File: debian_DLA-351.nasl - Type: ACT_GATHER_INFO