Skip to main content

Redmine CVE-2023-47258

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2023-11-05 cve@mitre.org
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Nov 05, 2023 - 04:15 nvd
MEDIUM 6.1

DescriptionNVD

Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS in a Markdown formatter.

AnalysisAI

Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS in a Markdown formatter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS in a Markdown formatter. Affected products include: Redmine. Version information: before 4.2.11.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2014-1985 MEDIUM POC
5.8 Apr 11

Open redirect vulnerability in the redirect_back_or_default function in app/controllers/application_controller.rb in Red

CVE-2021-29274 MEDIUM POC
6.1 Mar 29

Redmine 4.1.x before 4.1.2 allows XSS because an issue's subject is mishandled in the auto complete tip. Rated medium se

CVE-2021-30164 CRITICAL
9.8 Apr 06

Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by lev

CVE-2017-15572 HIGH
7.5 Oct 18

In Redmine before 3.2.6 and 3.3.x before 3.3.3, remote attackers can obtain sensitive information (password reset tokens

CVE-2017-15577 HIGH
7.5 Oct 18

Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles the rendering of wiki links, which allows remote attackers to obt

CVE-2017-15576 HIGH
7.5 Oct 18

Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles Time Entry rendering in activity views, which allows remote attac

CVE-2022-44030 HIGH
7.5 Dec 06

Redmine 5.x before 5.0.4 allows downloading of file attachments of any Issue or any Wiki page due to insufficient permis

CVE-2021-37156 HIGH
7.5 Aug 05

Redmine 4.2.0 and 4.2.1 allow existing user sessions to continue upon enabling two-factor authentication for the user's

CVE-2021-31863 HIGH
7.5 Apr 28

Insufficient input validation in the Git repository integration of Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x b

CVE-2021-30163 HIGH
7.5 Apr 06

Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to discover the names of private projects if issue-journal

CVE-2015-8474 HIGH
7.4 Apr 12

Open redirect vulnerability in the valid_back_url function in app/controllers/application_controller.rb in Redmine befor

CVE-2017-15575 HIGH
7.3 Oct 18

In Redmine before 3.2.6 and 3.3.x before 3.3.3, Redmine.pm lacks a check for whether the Repository module is enabled in

Share

CVE-2023-47258 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy