CVE-2022-44637 — Cross-site Scripting in Redmine

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

0.7%

top 28.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redmine Debian Redmine

Timeline

PublishedDec 12

Description

Redmine before 4.2.9 and 5.0.x before 5.0.4 allows persistent XSS in its Textile formatter due to improper sanitization in Redcloth3 Textile-formatted fields. Depending on the configuration, this may require login as a registered user.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶debiandebian/redmine< redmine 5.0.4-1 (bookworm)

▶NVDredmine/redmine5.0.0 — 5.0.4+1

▶Debianredmine/redmine< 5.0.4-1+1

🔴Vulnerability Details

GHSA

GHSA-6839-6jhx-rcv7: Redmine before 4↗2022-12-12

▶

OSV

CVE-2022-44637: Redmine before 4↗2022-12-12

▶

📋Vendor Advisories

Debian

CVE-2022-44637: redmine - Redmine before 4.2.9 and 5.0.x before 5.0.4 allows persistent XSS in its Textile...↗2022

▶