← Back

Redmine

redmine

51 CVEs • 2 products

Products (2)

Click to collapse

Toggle

Redmine

redmine

50 CVEs

Redmine Git Hosting Plugin

redmine_git_hosting_plugin

1 CVE

CVEs (51)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-17427 1Redmine 1Redmine Nov 21, 2024 Oct 10, 2019 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 In Redmine before 3.4.11 and 4.0.x before 4.0.4, persistent XSS exists due to textile formatting errors.
CVE-2017-18026 2Debian Redmine 2Debian Linux Redmine Nov 21, 2024 Jan 10, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Redmine before 3.2.9, 3.3.x before 3.3.6, and 3.4.x before 3.4.4 does not block the --config and --debugger flags to the Mercurial hg program, which allows remote attackers to execute arbitrary commands (through the Merc...Show more Redmine before 3.2.9, 3.3.x before 3.3.6, and 3.4.x before 3.4.4 does not block the --config and --debugger flags to the Mercurial hg program, which allows remote attackers to execute arbitrary commands (through the Mercurial adapter) via vectors involving a branch whose name begins with a --config= or --debugger= substring, a related issue to CVE-2017-17536.Show less
CVE-2017-16804 2Debian Redmine 2Debian Linux Redmine May 13, 2026 Nov 13, 2017 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 In Redmine before 3.2.7 and 3.3.x before 3.3.4, the reminders function in app/models/mailer.rb does not check whether an issue is visible, which allows remote authenticated users to obtain sensitive information by readin...Show more In Redmine before 3.2.7 and 3.3.x before 3.3.4, the reminders function in app/models/mailer.rb does not check whether an issue is visible, which allows remote authenticated users to obtain sensitive information by reading e-mail reminder messages.Show less
CVE-2017-15577 2Debian Redmine 2Debian Linux Redmine May 13, 2026 Oct 18, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles the rendering of wiki links, which allows remote attackers to obtain sensitive information.
CVE-2017-15576 2Debian Redmine 2Debian Linux Redmine May 13, 2026 Oct 18, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles Time Entry rendering in activity views, which allows remote attackers to obtain sensitive information.
CVE-2017-15575 2Debian Redmine 2Debian Linux Redmine May 13, 2026 Oct 18, 2017 N/A· v4 7.3 HIGH· v3 7.5 HIGH· v2 In Redmine before 3.2.6 and 3.3.x before 3.3.3, Redmine.pm lacks a check for whether the Repository module is enabled in a project's settings, which might allow remote attackers to obtain sensitive differences informatio...Show more In Redmine before 3.2.6 and 3.3.x before 3.3.3, Redmine.pm lacks a check for whether the Repository module is enabled in a project's settings, which might allow remote attackers to obtain sensitive differences information or possibly have unspecified other impact.Show less
CVE-2017-15574 2Debian Redmine 2Debian Linux Redmine May 13, 2026 Oct 18, 2017 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 In Redmine before 3.2.6 and 3.3.x before 3.3.3, stored XSS is possible by using an SVG document as an attachment.
CVE-2017-15573 2Debian Redmine 2Debian Linux Redmine May 13, 2026 Oct 18, 2017 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 In Redmine before 3.2.6 and 3.3.x before 3.3.3, XSS exists because markup is mishandled in wiki content.
CVE-2017-15572 2Debian Redmine 2Debian Linux Redmine May 13, 2026 Oct 18, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 In Redmine before 3.2.6 and 3.3.x before 3.3.3, remote attackers can obtain sensitive information (password reset tokens) by reading a Referer log, because account/lost_password does not use a redirect.
CVE-2017-15571 2Debian Redmine 2Debian Linux Redmine May 13, 2026 Oct 18, 2017 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/views/issues/_list.html.erb via crafted column data.
CVE-2017-15570 2Debian Redmine 2Debian Linux Redmine May 13, 2026 Oct 18, 2017 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/views/timelog/_list.html.erb via crafted column data.
CVE-2017-15569 2Debian Redmine 2Debian Linux Redmine May 13, 2026 Oct 18, 2017 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/helpers/queries_helper.rb via a multi-value field with a crafted value that is mishandled during rendering of an issue list.
CVE-2017-15568 2Debian Redmine 2Debian Linux Redmine May 13, 2026 Oct 18, 2017 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/helpers/application_helper.rb via a multi-value field with a crafted value that is mishandled during rendering of issue history.
CVE-2016-10515 1Redmine 1Redmine May 13, 2026 Oct 18, 2017 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 In Redmine before 3.2.3, there are stored XSS vulnerabilities affecting Textile and Markdown text formatting, and project homepages.
CVE-2015-8477 1Redmine 1Redmine May 13, 2026 May 23, 2017 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in Redmine before 2.6.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving flash message rendering.
CVE-2015-8537 2Debian Redmine 2Debian Linux Redmine May 6, 2026 Apr 12, 2016 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 app/views/journals/index.builder in Redmine before 2.6.9, 3.0.x before 3.0.7, and 3.1.x before 3.1.3 allows remote attackers to obtain sensitive information by viewing an Atom feed.
CVE-2015-8474 2Debian Redmine 2Debian Linux Redmine May 6, 2026 Apr 12, 2016 N/A· v4 7.4 HIGH· v3 5.8 MEDIUM· v2 Open redirect vulnerability in the valid_back_url function in app/controllers/application_controller.rb in Redmine before 2.6.7, 3.0.x before 3.0.5, and 3.1.x before 3.1.1 allows remote attackers to redirect users to arb...Show more Open redirect vulnerability in the valid_back_url function in app/controllers/application_controller.rb in Redmine before 2.6.7, 3.0.x before 3.0.5, and 3.1.x before 3.1.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a crafted back_url parameter, as demonstrated by "@attacker.com," a different vulnerability than CVE-2014-1985.Show less
CVE-2015-8473 2Debian Redmine 2Debian Linux Redmine May 6, 2026 Apr 12, 2016 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 The Issues API in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1.2 allows remote authenticated users to obtain sensitive information in changeset messages by leveraging permission to read issues with rela...Show more The Issues API in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1.2 allows remote authenticated users to obtain sensitive information in changeset messages by leveraging permission to read issues with related changesets from other projects.Show less
CVE-2015-8346 2Debian Redmine 2Debian Linux Redmine May 6, 2026 Apr 12, 2016 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 app/views/timelog/_form.html.erb in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1.2 allows remote attackers to obtain sensitive information about subjects of issues by viewing the time logging form.
CVE-2013-4663 1Redmine 1Redmine Git Hosting Plugin May 6, 2026 Dec 28, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 git_http_controller.rb in the redmine_git_hosting plugin for Redmine allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the service parameter to info/refs, related to the get_info_refs...Show more git_http_controller.rb in the redmine_git_hosting plugin for Redmine allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the service parameter to info/refs, related to the get_info_refs function or (2) the reqfile argument to the file_exists function.Show less

Previous 123 Next