CVE-2025-4011 — Cross-site Scripting in Redmine

CWE-79 — Cross-site Scripting CWE-94 — Code Injection4 documents4 sources

Severity

5.1MEDIUMNVD

EPSS

0.2%

top 59.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redmine Debian Redmine

Timeline

PublishedApr 28

Description

A vulnerability has been found in Redmine 6.0.0/6.0.1/6.0.2/6.0.3 and classified as problematic. This vulnerability affects unknown code of the component Custom Query Handler. The manipulation of the argument Name leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 6.0.4 is able to address this issue. It is recommended to upgrade the affected component.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

▶debiandebian/redmine< redmine 6.0.4+ds-1 (sid)

▶Debianredmine/redmine< 6.0.4+ds-1

🔴Vulnerability Details

GHSA

GHSA-hhw5-9q3f-7w82: A vulnerability has been found in Redmine 6↗2025-04-28

▶

OSV

CVE-2025-4011: A vulnerability has been found in Redmine 6↗2025-04-28

▶

📋Vendor Advisories

Debian

CVE-2025-4011: redmine - A vulnerability has been found in Redmine 6.0.0/6.0.1/6.0.2/6.0.3 and classified...↗2025

▶