Project

General

Profile

Actions

Security Advisories » History » Revision 30

« Previous | Revision 30/79 (diff) | Next »
Jean-Philippe Lang, 2017-10-15 22:09


Redmine Security Advisories

This page lists the security vulnerabilities that were fixed in Redmine releases, starting from 1.3.0. If you think that you've found a security vulnerability, please report it by sending an email to: security(at)redmine.org.

Severity Details External references Affected versions Fixed versions
High Multiple XSS vulnerabilities (#27186) All prior releases 3.2.8, 3.3.5 and 3.4.3
Moderate Improper markup sanitization in wiki content (#25503) All prior releases 3.2.6 and 3.3.3
Moderate Use redirect on /account/lost_password to prevent password reset tokens in referers (#24416) All prior releases 3.2.6 and 3.3.3
Moderate Redmine.pm doesn't check that the repository module is enabled on project (#24307) All prior releases 3.2.6 and 3.3.3
High Stored XSS with SVG attachments (#24199) All prior releases 3.2.6 and 3.3.3
Moderate Information leak when rendering Time Entry on activity view (#23803) All prior releases 3.2.6 and 3.3.3
Moderate Information leak when rendering Wiki links (#23793) All prior releases 3.2.6 and 3.3.3
High Persistent XSS vulnerabilities in text formatting (Textile and Markdown) and project homepage All prior releases 3.2.3
Critical ImageMagick vulnerabilities CVE-2016-3714 All prior releases since 2.1.0 3.1.5 and 3.2.2
Moderate Data disclosure in atom feed CVE-2015-8537 All prior releases 2.6.9, 3.0.7 and 3.1.3
Moderate Potential changeset message disclosure in issues API CVE-2015-8473 All prior releases 2.6.8, 3.0.6 and 3.1.2
Moderate Data disclosure on the time logging form CVE-2015-8346 All prior releases 2.6.8, 3.0.6 and 3.1.2
Moderate Open Redirect vulnerability CVE-2015-8474 2.5.1 to 2.6.6, 3.0.0 to 3.0.4 and 3.1.0 2.6.7, 3.0.5 and 3.1.1
Low Potential XSS vulnerability when rendering some flash messages CVE-2015-8477 All prior releases 2.6.2 and 3.0.0
Moderate Potential data leak (project names) in the invalid form authenticity token error screen All prior releases 2.4.6 and 2.5.2
Moderate Open Redirect vulnerability JVN#93004610, CVE-2014-1985 All prior releases 2.4.5 and 2.5.1
Critical Ruby on Rails vulnerability (announcement) All releases prior to 2.2.4 2.2.4, 2.3.0
Critical Ruby on Rails vulnerability (announcement) All releases prior to 2.2.3 2.2.3
Critical Ruby on Rails vulnerability (announcement) All releases prior to 2.2.1 and 2.1.6 Fix for 1.4.7
Critical Ruby on Rails vulnerability (announcement) All releases prior to 2.2.1 and 2.1.6 1.4.7
Critical Ruby on Rails vulnerability (announcement) All prior releases 2.2.1, 2.1.6, 1.4.6
Moderate XSS vulnerability 2.1.0 and 2.1.1 2.1.2
High Persistent XSS vulnerability JVN#93406632, CVE-2012-0327 All prior releases 1.3.2
Moderate Mass-assignemnt vulnerability that would allow an attacker to bypass part of the security checks All prior releases 1.3.2
High Vulnerability that would allow an attacker to bypass the CSRF protection All prior releases 1.3.0

Updated by Jean-Philippe Lang about 7 years ago · 30 revisions locked