Project

General

Profile

Actions

Redmine Security Advisories

This page lists the security vulnerabilities that were fixed in Redmine releases, starting from 1.3.0. If you think that you've found a security vulnerability, please report it by sending an email to: security(at)redmine.org.

To detect if your own Redmine is subject to any of these vulnerabilities, you can use Planio's Redmine Security Scanner.

Severity Details External references Affected versions Fixed versions
Moderate Insufficient permission check with watchers: the "Add watchers" permission effectively also granted "View watchers" (#40946) CVE-2024-47225 All prior releases 5.1.4 and 5.0.10
High XSS in Textile formatter (#38807) CVE-2023-47259 All prior releases 5.0.6 and 4.2.11
High XSS in Markdown formatter (#38806) CVE-2023-47258 All prior releases 5.0.6 and 4.2.11
High XSS Vulnerability in Thumbnails (#38417) CVE-2023-47260 All prior releases 5.0.6 and 4.2.11
Moderate Insufficient permission checks when adding attachments to issues (#38297) All prior releases 5.0.5 and 4.2.10
Low Avoid double-render error with ApplicationController#find_optional_project (#38063) All prior releases 5.0.5 and 4.2.10
Critical Access Control Issue in attachments#download_all (#37772) CVE-2022-44030 5.0.0 - 5.0.3 5.0.4
High Persistent XSS in textile formatting due to blockquote citation (#37751) CVE-2022-44031 All prior releases 5.0.4 and 4.2.9
High Redmine contains a cross-site scripting vulnerability (#37767) CVE-2022-44637 All prior releases 5.0.4 and 4.2.9
Moderate Open Redirect in attachments#download_all (#37880) All prior releases since 4.2.0 5.0.4 and 4.2.9
Moderate Unbounded resource exhaustion in cmark-gfm autolink extension may lead to denial of service (#37872) CVE-2022-39209 5.0.0 - 5.0.3 5.0.4
Moderate no-permission-check allows issue creation in closed/archived projects (#37187) All prior releases 5.0.2 and 4.2.7
High Information Leak in QueryAssociationColumn and QueryAssociationCustomFieldColumn (#37255) All prior releases since 3.4.0 5.0.2 and 4.2.7
High Remote code execution in commonmarker gem (#37136) CVE-2022-24724 5.0.0 and 5.0.1 5.0.2
Moderate 3 XSS security vulnerabilities in jQuery UI < v1.13.0 (#37256) CVE-2021-41182, CVE-2021-41183, CVE-2021-41184 All prior releases 5.0.2 and 4.2.7
Moderate Ruby on Rails vulnerability (announcement) CVE-2022-22577, CVS-2022-27777 All prior releases 5.0.1 and 4.2.6
Moderate Ruby on Rails vulnerability (announcement) CVE-2022-23633 All Redmine 4.* versions 4.2.4 and 4.1.6
Moderate Activities index view is leaking usernames (#35789) CVE-2021-42326 All prior releases 4.2.3 and 4.1.5
Low User sessions not reset after activation of two-factor authentication (#35417) CVE-2021-37156 4.2.0 and 4.2.1 4.2.2
High Ruby on Rails vulnerabilities (announcement) CVE-2021-22885, CVE-2021-22904 All prior releases 4.2.2 and 4.1.4
Low Mail handler bypasses add_issue_notes permission (#35045) CVE-2021-31864 All prior releases since 3.3.0 4.2.1, 4.1.3 and 4.0.9
Moderate Allowed filename extensions of attachments can be circumvented (#34367) CVE-2021-31865 All prior releases 4.2.1, 4.1.3 and 4.0.9
Critical Arbitrary file read in Git adapter (#35085) CVE-2021-31863 All prior releases 4.2.1, 4.1.3 and 4.0.9
Moderate SysController and MailHandlerController are vulnerable to timing attack (#34950) CVE-2021-31866 All prior releases to 4.2.0 4.2.0, 4.1.3 and 4.0.9
High Inline issue auto complete doesn't sanitize HTML tags (#33846) CVE-2021-29274 4.1.0 and 4.1.1 4.1.2 and 4.0.8
Moderate Names of private projects are leaked by issue journal details that contain project_id changes(#33360) CVE-2021-30163 All prior releases 4.1.2 and 4.0.8
High Issues API bypasses add_issue_notes permission (#33689) CVE-2021-30164 All prior releases since 3.3.0 4.1.2 and 4.0.8
High Ruby on Rails vulnerabilities (rails 5.2.4.3, rails 5.2.4.5) CVE-2020-8162, CVE-2020-8164, CVE-2020-8165, CVE-2020-8166, CVE-2020-8167, CVE-2021-22880, CVE-2021-22881 All prior releases 4.1.2 and 4.0.8
Moderate XSS vulnerability due to missing back_url validation (#32850) CVE-2020-36306 All prior releases 4.1.1 and 4.0.7
High Persistent XSS vulnerabilities in textile inline links (#32934) CVE-2020-36307 All prior releases 4.1.1 and 4.0.7
Moderate Time entries CSV export may disclose subjects of issues that are not visible CVE-2020-36308 All prior releases 4.1.1 and 4.0.7
Moderate Improper markup sanitization in Textile formatting (#25742) CVE-2019-25026 All prior releases 4.0.6 and 3.4.13
Critical SQL injection CVE-2019-18890 Redmine <= 3.3.9 3.3.10
High Persistent XSS in textile formatting CVE-2019-17427 All prior releases 3.4.11 and 4.0.4
Critical Ruby on Rails vulnerabilities (announcement) CVE-2019-5418, CVE-2019-5419, CVE-2019-5420 All prior releases 3.4.10 and 4.0.3
High Remote command execution through mercurial adapter CVE-2017-18026 All prior releases 3.2.9, 3.3.6 and 3.4.4
High Multiple XSS vulnerabilities (#27186) CVE-2017-15568, CVE-2017-15569, CVE-2017-15570, CVE-2017-15571 All prior releases 3.2.8, 3.3.5 and 3.4.3
Low Email reminders reveal information about inaccessible issues (#25713) CVE-2017-16804 All prior releases 3.2.7, 3.3.4 and 3.4.0
Moderate Improper markup sanitization in wiki content (#25503) CVE-2017-15573 All prior releases 3.2.6 and 3.3.3
Moderate Use redirect on /account/lost_password to prevent password reset tokens in referers (#24416) CVE-2017-15572 All prior releases 3.2.6 and 3.3.3
Moderate Redmine.pm doesn't check that the repository module is enabled on project (#24307) CVE-2017-15575 All prior releases 3.2.6 and 3.3.3
High Stored XSS with SVG attachments (#24199) CVE-2017-15574 All prior releases 3.2.6 and 3.3.3
Moderate Information leak when rendering Time Entry on activity view (#23803) CVE-2017-15576 All prior releases 3.2.6 and 3.3.3
Moderate Information leak when rendering Wiki links (#23793) CVE-2017-15577 All prior releases 3.2.6 and 3.3.3
High Persistent XSS vulnerabilities in text formatting (Textile and Markdown) and project homepage CVE-2016-10515 All prior releases 3.2.3
Critical ImageMagick vulnerabilities CVE-2016-3714 All prior releases since 2.1.0 3.1.5 and 3.2.2
Moderate Data disclosure in atom feed CVE-2015-8537 All prior releases 2.6.9, 3.0.7 and 3.1.3
Moderate Potential changeset message disclosure in issues API CVE-2015-8473 All prior releases 2.6.8, 3.0.6 and 3.1.2
Moderate Data disclosure on the time logging form CVE-2015-8346 All prior releases 2.6.8, 3.0.6 and 3.1.2
Moderate Open Redirect vulnerability CVE-2015-8474 2.5.1 to 2.6.6, 3.0.0 to 3.0.4 and 3.1.0 2.6.7, 3.0.5 and 3.1.1
Low Potential XSS vulnerability when rendering some flash messages CVE-2015-8477 All prior releases 2.6.2 and 3.0.0
Moderate Potential data leak (project names) in the invalid form authenticity token error screen All prior releases 2.4.6 and 2.5.2
Moderate Open Redirect vulnerability JVN#93004610, CVE-2014-1985 All prior releases 2.4.5 and 2.5.1
Critical Ruby on Rails vulnerability (announcement) All releases prior to 2.2.4 2.2.4, 2.3.0
Critical Ruby on Rails vulnerability (announcement) All releases prior to 2.2.3 2.2.3
Critical Ruby on Rails vulnerability (announcement) CVE-2013-0333 All releases prior to and including 1.4.7 Fix for 1.4.7
Critical Ruby on Rails vulnerability (announcement) CVE-2013-0155 All prior releases 2.2.1, 2.1.6, 1.4.7
Critical Ruby on Rails vulnerability (announcement) CVE-2013-0156 All prior releases 2.2.1, 2.1.6, 1.4.6
Moderate XSS vulnerability 2.1.0 and 2.1.1 2.1.2
High Persistent XSS vulnerability JVN#93406632, CVE-2012-0327 All prior releases 1.3.2
Moderate Mass-assignemnt vulnerability that would allow an attacker to bypass part of the security checks All prior releases 1.3.2
High Vulnerability that would allow an attacker to bypass the CSRF protection All prior releases 1.3.0

Updated by Holger Just 29 days ago · 79 revisions locked