VYPR
Vendor

Redmine

Products
2
CVEs
57
Across products
57
Status
Private

Products

2

Recent CVEs

57
View all 57 CVEs →
  • CVE-2024-36267HigMay 30, 2024
    risk 0.53cvss 8.1epss 0.01

    Path traversal vulnerability exists in Redmine DMSF Plugin versions prior to 3.1.4. If this vulnerability is exploited, a logged-in user may obtain or delete arbitrary files on the server (within the privilege of the Redmine process).

  • CVE-2017-15577HigOct 18, 2017
    risk 0.49cvss 7.5epss 0.02

    Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles the rendering of wiki links, which allows remote attackers to obtain sensitive information.

  • CVE-2017-15576HigOct 18, 2017
    risk 0.49cvss 7.5epss 0.02

    Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles Time Entry rendering in activity views, which allows remote attackers to obtain sensitive information.

  • CVE-2017-15572HigOct 18, 2017
    risk 0.49cvss 7.5epss 0.02

    In Redmine before 3.2.6 and 3.3.x before 3.3.3, remote attackers can obtain sensitive information (password reset tokens) by reading a Referer log, because account/lost_password does not use a redirect.

  • CVE-2017-15575HigOct 18, 2017
    risk 0.48cvss 7.3epss 0.01

    In Redmine before 3.2.6 and 3.3.x before 3.3.3, Redmine.pm lacks a check for whether the Repository module is enabled in a project's settings, which might allow remote attackers to obtain sensitive differences information or possibly have unspecified other impact.

  • CVE-2015-8474HigApr 12, 2016
    risk 0.41cvss 7.4epss 0.02

    Open redirect vulnerability in the valid_back_url function in app/controllers/application_controller.rb in Redmine before 2.6.7, 3.0.x before 3.0.5, and 3.1.x before 3.1.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a crafted…

  • CVE-2017-15574MedOct 18, 2017
    risk 0.40cvss 6.1epss 0.01

    In Redmine before 3.2.6 and 3.3.x before 3.3.3, stored XSS is possible by using an SVG document as an attachment.

  • CVE-2017-15573MedOct 18, 2017
    risk 0.40cvss 6.1epss 0.01

    In Redmine before 3.2.6 and 3.3.x before 3.3.3, XSS exists because markup is mishandled in wiki content.

  • CVE-2017-15571MedOct 18, 2017
    risk 0.40cvss 6.1epss 0.01

    In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/views/issues/_list.html.erb via crafted column data.

  • CVE-2017-15570MedOct 18, 2017
    risk 0.40cvss 6.1epss 0.01

    In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/views/timelog/_list.html.erb via crafted column data.

  • CVE-2017-15569MedOct 18, 2017
    risk 0.40cvss 6.1epss 0.01

    In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/helpers/queries_helper.rb via a multi-value field with a crafted value that is mishandled during rendering of an issue list.

  • CVE-2017-15568MedOct 18, 2017
    risk 0.40cvss 6.1epss 0.01

    In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/helpers/application_helper.rb via a multi-value field with a crafted value that is mishandled during rendering of issue history.

  • CVE-2016-10515MedOct 18, 2017
    risk 0.40cvss 6.1epss 0.01

    In Redmine before 3.2.3, there are stored XSS vulnerabilities affecting Textile and Markdown text formatting, and project homepages.

  • CVE-2015-8477MedMay 23, 2017
    risk 0.40cvss 6.1epss 0.02

    Cross-site scripting (XSS) vulnerability in Redmine before 2.6.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving flash message rendering.

  • CVE-2026-1836MedJun 12, 2026
    risk 0.34cvss epss 0.00

    The system stores the username and password from the login form after submitting the request. This could allow an attacker with access to the platform to return to the browser and view the login credentials.

  • CVE-2017-16804MedNov 13, 2017
    risk 0.28cvss 4.3epss 0.02

    In Redmine before 3.2.7 and 3.3.x before 3.3.4, the reminders function in app/models/mailer.rb does not check whether an issue is visible, which allows remote authenticated users to obtain sensitive information by reading e-mail reminder messages.

  • CVE-2015-8537MedApr 12, 2016
    risk 0.28cvss 5.3epss 0.02

    app/views/journals/index.builder in Redmine before 2.6.9, 3.0.x before 3.0.7, and 3.1.x before 3.1.3 allows remote attackers to obtain sensitive information by viewing an Atom feed.

  • CVE-2015-8346MedApr 12, 2016
    risk 0.28cvss 5.3epss 0.02

    app/views/timelog/_form.html.erb in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1.2 allows remote attackers to obtain sensitive information about subjects of issues by viewing the time logging form.

  • CVE-2025-4011LowApr 28, 2025
    risk 0.23cvss 3.5epss 0.00

    A vulnerability has been found in Redmine 6.0.0/6.0.1/6.0.2/6.0.3 and classified as problematic. This vulnerability affects unknown code of the component Custom Query Handler. The manipulation of the argument Name leads to cross site scripting. The attack can be initiated…

  • CVE-2015-8473MedApr 12, 2016
    risk 0.21cvss 4.3epss 0.02

    The Issues API in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1.2 allows remote authenticated users to obtain sensitive information in changeset messages by leveraging permission to read issues with related changesets from other projects.