← Back

CVE-2015-8474

nvd nist
Published: Apr 12, 2016Modified: May 6, 2026

JSON object

Loading...
7.4
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
Exploitability: 2.8 / Impact: 4.0
Source: NVD

Description

Open redirect vulnerability in the valid_back_url function in app/controllers/application_controller.rb in Redmine before 2.6.7, 3.0.x before 3.0.5, and 3.1.x before 3.1.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a crafted back_url parameter, as demonstrated by "@attacker.com," a different vulnerability than CVE-2014-1985.

Affected (10)

Debian
1 product
Debian Linux
Redmine
1 product
Redmine
Configuration A
2 vulnerable
Vulnerable SoftwareAffected Versions
Debian
Debian Linux
Version 7.0
Debian Linux
Version 8.0
Configuration B
8 vulnerable
Vulnerable SoftwareAffected Versions
Redmine
Redmine
Up to 2.6.6
Redmine
Version 2.5.1
Redmine
Version 3.0.0
Redmine
Version 3.0.1
Redmine
Version 3.0.2
Redmine
Version 3.0.3
Redmine
Version 3.0.4
Redmine
Version 3.1.0

References (10)

Source: cve@mitre.org
Source: cve@mitre.org
Patch
Source: cve@mitre.org
Source: cve@mitre.org
Source: cve@mitre.org
PatchVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Patch
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
PatchVendor Advisory

Timeline

No history available yet.