CVE-2009-4459 — Cross-site Scripting in Redmine

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.3%

top 48.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redmine Debian Redmine

Timeline

PublishedDec 30

Latest updateMay 2

Description

Redmine 0.8.7 and earlier uses the title tag before defining the character encoding in a meta tag, which allows remote attackers to conduct cross-site scripting (XSS) attacks and inject arbitrary script via UTF-7 encoded values in the title parameter to a new issue page, which may be interpreted as script by Internet Explorer 7 and 8.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/redmine< redmine 0.9.1-1 (bookworm)

▶Debianredmine/redmine< 0.9.1-1+1

▶NVDredmine/redmine0.8.7+26

🔴Vulnerability Details

GHSA

GHSA-vpxw-mhc6-mv6v: Redmine 0↗2022-05-02

▶

OSV

CVE-2009-4459: Redmine 0↗2009-12-30

▶

📋Vendor Advisories

Debian

CVE-2009-4459: redmine - Redmine 0.8.7 and earlier uses the title tag before defining the character encod...↗2009

▶