VYPR
← All advisories
Low severity3.5NVD Advisory· Published Apr 28, 2025· Updated Apr 15, 2026

CVE-2025-4011

CVE-2025-4011

Description

A vulnerability has been found in Redmine 6.0.0/6.0.1/6.0.2/6.0.3 and classified as problematic. This vulnerability affects unknown code of the component Custom Query Handler. The manipulation of the argument Name leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 6.0.4 is able to address this issue. It is recommended to upgrade the affected component.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A reflected XSS vulnerability in Redmine's Custom Query Handler allows an attacker to inject arbitrary HTML/JavaScript via the Name parameter, requiring user interaction for exploitation.

Vulnerability

CVE-2025-4011 is a cross-site scripting (XSS) vulnerability found in Redmine versions 6.0.0 through 6.0.3. The flaw resides in the Custom Query Handler, where the 'Name' argument is not properly sanitized before being processed. This allows an attacker to inject malicious scripts that execute in the context of the victim's browser [1].

Exploitation

The attack can be initiated remotely, likely by tricking an authenticated user into clicking a crafted link or submitting a form with the malicious payload. No special network position is required, but the user must interact with the malicious input. The vulnerability is classified as problematic with a CVSS score of 3.5 (Low), indicating limited impact or complexity [2].

Impact

Successful exploitation enables an attacker to execute arbitrary HTML and JavaScript in the victim's Redmine session. This could lead to session hijacking, unauthorized actions, or defacement within the application. However, due to the need for user interaction, the overall risk is considered low.

Mitigation

The issue has been addressed in Redmine version 6.0.4. Users are strongly recommended to upgrade to this version or later. No workarounds are documented [1][2].

References
  1. Security Advisories - Redmine
  2. 6.0.4 - Redmine

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.