Project

General

Profile

Forums » Development »

Query for Redmine vulnerabilities

Added by KUNTAL MONDAL 4 months ago

Hi Redmine Team

Our security team and cone the source code scan for Redmine 5.1.2 .
They have reported below vulnerabilities.

• Code Injection
• Incomplete Regular expressions for hostnames
• SQL query build from user-controlled sources
• Regular expression injection
• Clear text storage of sensitive information
• CSRF projection does not enable

Can you please let us know if there is planning to fix these vulnerabilities in the upcoming releases.


Replies (1)

RE: Query for Redmine vulnerabilities - Added by Holger Just 4 months ago

You can report security vulnerabilities you have found to security(at)redmine.org. Our security team will have a look and coordinate fixes if required. See Submissions. When reporting vulnerabilities, please be as specific as possible:

  • Please include all the minimal information described in Submissions.
  • Please describe the issue in sufficient detail to allow us to reproduce it.
  • Please ensure that your findings are actual security issues before reporting them. Often, automated scanners produce a large amount of false-positive findings which are not actually security issues.
    (1-1/1)