Redmine
by Redmine
Source repositories
CVEs (56)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-30164 | 0.00 | — | 0.01 | Apr 6, 2021 | Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by leveraging the Issues API. | |||
| CVE-2021-29274 | 0.00 | — | 0.01 | Mar 29, 2021 | Redmine 4.1.x before 4.1.2 allows XSS because an issue's subject is mishandled in the auto complete tip. | |||
| CVE-2019-18890 | 0.00 | — | 0.04 | Nov 21, 2019 | A SQL injection vulnerability in Redmine through 3.2.9 and 3.3.x before 3.3.10 allows Redmine users to access protected information via a crafted object query. | |||
| CVE-2019-17427 | 0.00 | — | 0.02 | Oct 10, 2019 | In Redmine before 3.4.11 and 4.0.x before 4.0.4, persistent XSS exists due to textile formatting errors. | |||
| CVE-2019-15950 | 0.00 | — | 0.01 | Sep 16, 2019 | The CRM Plugin before 4.2.4 for Redmine allows XSS via crafted vCard data. | |||
| CVE-2017-18026 | Hig | 0.00 | 8.8 | 0.03 | Jan 10, 2018 | Redmine before 3.2.9, 3.3.x before 3.3.6, and 3.4.x before 3.4.4 does not block the --config and --debugger flags to the Mercurial hg program, which allows remote attackers to execute arbitrary commands (through the Mercurial adapter) via vectors involving a branch whose name… | ||
| CVE-2014-1985 | 0.00 | — | 0.03 | Apr 11, 2014 | Open redirect vulnerability in the redirect_back_or_default function in app/controllers/application_controller.rb in Redmine before 2.4.5 and 2.5.x before 2.5.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the back… | |||
| CVE-2011-4928 | 0.00 | — | 0.02 | Oct 8, 2012 | Cross-site scripting (XSS) vulnerability in the textile formatter in Redmine before 1.0.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2011-4927 | 0.00 | — | 0.01 | Oct 8, 2012 | Unspecified vulnerability in the bazaar repository adapter in Redmine 1.0.x before 1.0.5 allows remote authenticated users to obtain sensitive information via unknown vectors. | |||
| CVE-2012-2054 | 0.00 | — | 0.02 | Apr 5, 2012 | Redmine before 1.3.2 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set attributes in the (1) Comment, (2) Document, (3) IssueCategory, (4) MembersController, (5) Message, (6) News, (7) TimeEntry, (8)… | |||
| CVE-2012-0327 | 0.00 | — | 0.02 | Apr 5, 2012 | Cross-site scripting (XSS) vulnerability in Redmine before 1.3.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2011-1723 | 0.00 | — | 0.04 | Apr 19, 2011 | Cross-site scripting (XSS) vulnerability in app/views/layouts/base.rhtml in Redmine 1.0.1 through 1.1.1 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to projects/hg-helloworld/news/. NOTE: some of these details are obtained from third party… | |||
| CVE-2009-4459 | 0.00 | — | 0.01 | Dec 30, 2009 | Redmine 0.8.7 and earlier uses the title tag before defining the character encoding in a meta tag, which allows remote attackers to conduct cross-site scripting (XSS) attacks and inject arbitrary script via UTF-7 encoded values in the title parameter to a new issue page, which… | |||
| CVE-2009-4079 | 0.00 | — | 0.01 | Nov 25, 2009 | Cross-site request forgery (CSRF) vulnerability in Redmine 0.8.5 and earlier allows remote attackers to hijack the authentication of users for requests that delete a ticket via unspecified vectors. | |||
| CVE-2009-4078 | 0.00 | — | 0.02 | Nov 25, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in Redmine 0.8.5 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2008-4481 | 0.00 | — | 0.01 | Oct 8, 2008 | Cross-site scripting (XSS) vulnerability in Redmine 0.7.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
- CVE-2021-30164Apr 6, 2021risk 0.00cvss —epss 0.01
Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by leveraging the Issues API.
- CVE-2021-29274Mar 29, 2021risk 0.00cvss —epss 0.01
Redmine 4.1.x before 4.1.2 allows XSS because an issue's subject is mishandled in the auto complete tip.
- CVE-2019-18890Nov 21, 2019risk 0.00cvss —epss 0.04
A SQL injection vulnerability in Redmine through 3.2.9 and 3.3.x before 3.3.10 allows Redmine users to access protected information via a crafted object query.
- CVE-2019-17427Oct 10, 2019risk 0.00cvss —epss 0.02
In Redmine before 3.4.11 and 4.0.x before 4.0.4, persistent XSS exists due to textile formatting errors.
- CVE-2019-15950Sep 16, 2019risk 0.00cvss —epss 0.01
The CRM Plugin before 4.2.4 for Redmine allows XSS via crafted vCard data.
- risk 0.00cvss 8.8epss 0.03
Redmine before 3.2.9, 3.3.x before 3.3.6, and 3.4.x before 3.4.4 does not block the --config and --debugger flags to the Mercurial hg program, which allows remote attackers to execute arbitrary commands (through the Mercurial adapter) via vectors involving a branch whose name…
- CVE-2014-1985Apr 11, 2014risk 0.00cvss —epss 0.03
Open redirect vulnerability in the redirect_back_or_default function in app/controllers/application_controller.rb in Redmine before 2.4.5 and 2.5.x before 2.5.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the back…
- CVE-2011-4928Oct 8, 2012risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the textile formatter in Redmine before 1.0.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2011-4927Oct 8, 2012risk 0.00cvss —epss 0.01
Unspecified vulnerability in the bazaar repository adapter in Redmine 1.0.x before 1.0.5 allows remote authenticated users to obtain sensitive information via unknown vectors.
- CVE-2012-2054Apr 5, 2012risk 0.00cvss —epss 0.02
Redmine before 1.3.2 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set attributes in the (1) Comment, (2) Document, (3) IssueCategory, (4) MembersController, (5) Message, (6) News, (7) TimeEntry, (8)…
- CVE-2012-0327Apr 5, 2012risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in Redmine before 1.3.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2011-1723Apr 19, 2011risk 0.00cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in app/views/layouts/base.rhtml in Redmine 1.0.1 through 1.1.1 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to projects/hg-helloworld/news/. NOTE: some of these details are obtained from third party…
- CVE-2009-4459Dec 30, 2009risk 0.00cvss —epss 0.01
Redmine 0.8.7 and earlier uses the title tag before defining the character encoding in a meta tag, which allows remote attackers to conduct cross-site scripting (XSS) attacks and inject arbitrary script via UTF-7 encoded values in the title parameter to a new issue page, which…
- CVE-2009-4079Nov 25, 2009risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in Redmine 0.8.5 and earlier allows remote attackers to hijack the authentication of users for requests that delete a ticket via unspecified vectors.
- CVE-2009-4078Nov 25, 2009risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in Redmine 0.8.5 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2008-4481Oct 8, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Redmine 0.7.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Page 3 of 3