Debian Redmine vulnerabilities

CVE-2019-25026 [MEDIUM] CVE-2019-25026: redmine - Redmine before 3.4.13 and 4.x before 4.0.6 mishandles markup data during Textile... Redmine before 3.4.13 and 4.x before 4.0.6 mishandles markup data during Textile formatting. Scope: local bookworm: resolved (fixed in 4.0.6-1) sid: resolved (fixed in 4.0.6-1) trixie: resolved (fixed in 4.0.6-1)

CVE-2019-17427 [MEDIUM] CVE-2019-17427: redmine - In Redmine before 3.4.11 and 4.0.x before 4.0.4, persistent XSS exists due to te... In Redmine before 3.4.11 and 4.0.x before 4.0.4, persistent XSS exists due to textile formatting errors. Scope: local bookworm: resolved (fixed in 4.0.4-1) sid: resolved (fixed in 4.0.4-1) trixie: resolved (fixed in 4.0.4-1)

CVE-2017-18026 [HIGH] CVE-2017-18026: redmine - Redmine before 3.2.9, 3.3.x before 3.3.6, and 3.4.x before 3.4.4 does not block ... Redmine before 3.2.9, 3.3.x before 3.3.6, and 3.4.x before 3.4.4 does not block the --config and --debugger flags to the Mercurial hg program, which allows remote attackers to execute arbitrary commands (through the Mercurial adapter) via vectors involving a branch whose name begins with a --config= or --debugger= substring, a related issue to CVE-2017-17536. Scope:

CVE-2017-15572 [HIGH] CVE-2017-15572: redmine - In Redmine before 3.2.6 and 3.3.x before 3.3.3, remote attackers can obtain sens... In Redmine before 3.2.6 and 3.3.x before 3.3.3, remote attackers can obtain sensitive information (password reset tokens) by reading a Referer log, because account/lost_password does not use a redirect. Scope: local bookworm: resolved (fixed in 3.4.2-1) sid: resolved (fixed in 3.4.2-1) trixie: resolved (fixed in 3.4.2-1)

CVE-2017-15575 [HIGH] CVE-2017-15575: redmine - In Redmine before 3.2.6 and 3.3.x before 3.3.3, Redmine.pm lacks a check for whe... In Redmine before 3.2.6 and 3.3.x before 3.3.3, Redmine.pm lacks a check for whether the Repository module is enabled in a project's settings, which might allow remote attackers to obtain sensitive differences information or possibly have unspecified other impact. Scope: local bookworm: resolved (fixed in 3.4.2-1) sid: resolved (fixed in 3.4.2-1) trixie: resolved (f

CVE-2017-15577 [HIGH] CVE-2017-15577: redmine - Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles the rendering of wiki lin... Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles the rendering of wiki links, which allows remote attackers to obtain sensitive information. Scope: local bookworm: resolved (fixed in 3.4.2-1) sid: resolved (fixed in 3.4.2-1) trixie: resolved (fixed in 3.4.2-1)

CVE-2017-15576 [HIGH] CVE-2017-15576: redmine - Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles Time Entry rendering in a... Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles Time Entry rendering in activity views, which allows remote attackers to obtain sensitive information. Scope: local bookworm: resolved (fixed in 3.4.2-1) sid: resolved (fixed in 3.4.2-1) trixie: resolved (fixed in 3.4.2-1)

CVE-2017-15570 [MEDIUM] CVE-2017-15570: redmine - In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists ... In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/views/timelog/_list.html.erb via crafted column data. Scope: local bookworm: resolved (fixed in 3.4.4-1) sid: resolved (fixed in 3.4.4-1) trixie: resolved (fixed in 3.4.4-1)

CVE-2017-15571 [MEDIUM] CVE-2017-15571: redmine - In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists ... In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/views/issues/_list.html.erb via crafted column data. Scope: local bookworm: resolved (fixed in 3.4.4-1) sid: resolved (fixed in 3.4.4-1) trixie: resolved (fixed in 3.4.4-1)

CVE-2017-15573 [MEDIUM] CVE-2017-15573: redmine - In Redmine before 3.2.6 and 3.3.x before 3.3.3, XSS exists because markup is mis... In Redmine before 3.2.6 and 3.3.x before 3.3.3, XSS exists because markup is mishandled in wiki content. Scope: local bookworm: resolved (fixed in 3.4.2-1) sid: resolved (fixed in 3.4.2-1) trixie: resolved (fixed in 3.4.2-1)

CVE-2017-16804 [MEDIUM] CVE-2017-16804: redmine - In Redmine before 3.2.7 and 3.3.x before 3.3.4, the reminders function in app/mo... In Redmine before 3.2.7 and 3.3.x before 3.3.4, the reminders function in app/models/mailer.rb does not check whether an issue is visible, which allows remote authenticated users to obtain sensitive information by reading e-mail reminder messages. Scope: local bookworm: resolved (fixed in 3.4.2-1) sid: resolved (fixed in 3.4.2-1) trixie: resolved (fixed in 3.4.2-1

CVE-2017-15574 [MEDIUM] CVE-2017-15574: redmine - In Redmine before 3.2.6 and 3.3.x before 3.3.3, stored XSS is possible by using ... In Redmine before 3.2.6 and 3.3.x before 3.3.3, stored XSS is possible by using an SVG document as an attachment. Scope: local bookworm: resolved (fixed in 3.4.2-1) sid: resolved (fixed in 3.4.2-1) trixie: resolved (fixed in 3.4.2-1)

CVE-2017-15569 [MEDIUM] CVE-2017-15569: redmine - In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists ... In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/helpers/queries_helper.rb via a multi-value field with a crafted value that is mishandled during rendering of an issue list. Scope: local bookworm: resolved (fixed in 3.4.4-1) sid: resolved (fixed in 3.4.4-1) trixie: resolved (fixed in 3.4.4-1)

CVE-2017-15568 [MEDIUM] CVE-2017-15568: redmine - In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists ... In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/helpers/application_helper.rb via a multi-value field with a crafted value that is mishandled during rendering of issue history. Scope: local bookworm: resolved (fixed in 3.4.4-1) sid: resolved (fixed in 3.4.4-1) trixie: resolved (fixed in 3.4.4-1)

CVE-2016-10515 [MEDIUM] CVE-2016-10515: redmine - In Redmine before 3.2.3, there are stored XSS vulnerabilities affecting Textile ... In Redmine before 3.2.3, there are stored XSS vulnerabilities affecting Textile and Markdown text formatting, and project homepages. Scope: local bookworm: resolved (fixed in 3.2.3-1) sid: resolved (fixed in 3.2.3-1) trixie: resolved (fixed in 3.2.3-1)

CVE-2015-8537 [MEDIUM] CVE-2015-8537: redmine - app/views/journals/index.builder in Redmine before 2.6.9, 3.0.x before 3.0.7, an... app/views/journals/index.builder in Redmine before 2.6.9, 3.0.x before 3.0.7, and 3.1.x before 3.1.3 allows remote attackers to obtain sensitive information by viewing an Atom feed. Scope: local bookworm: resolved (fixed in 3.2.0-1) sid: resolved (fixed in 3.2.0-1) trixie: resolved (fixed in 3.2.0-1)

CVE-2015-8474 [MEDIUM] CVE-2015-8474: redmine - Open redirect vulnerability in the valid_back_url function in app/controllers/ap... Open redirect vulnerability in the valid_back_url function in app/controllers/application_controller.rb in Redmine before 2.6.7, 3.0.x before 3.0.5, and 3.1.x before 3.1.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a crafted back_url parameter, as demonstrated by "@attacker.com," a different vulnerability than C

CVE-2015-8346 [MEDIUM] CVE-2015-8346: redmine - app/views/timelog/_form.html.erb in Redmine before 2.6.8, 3.0.x before 3.0.6, an... app/views/timelog/_form.html.erb in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1.2 allows remote attackers to obtain sensitive information about subjects of issues by viewing the time logging form. Scope: local bookworm: resolved (fixed in 3.2.0-1) sid: resolved (fixed in 3.2.0-1) trixie: resolved (fixed in 3.2.0-1)

CVE-2015-8473 [MEDIUM] CVE-2015-8473: redmine - The Issues API in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1... The Issues API in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1.2 allows remote authenticated users to obtain sensitive information in changeset messages by leveraging permission to read issues with related changesets from other projects. Scope: local bookworm: resolved (fixed in 3.2.0-1) sid: resolved (fixed in 3.2.0-1) trixie: resolved (fixed in 3

CVE-2015-8477 [MEDIUM] CVE-2015-8477: redmine - Cross-site scripting (XSS) vulnerability in Redmine before 2.6.2 allows remote a... Cross-site scripting (XSS) vulnerability in Redmine before 2.6.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving flash message rendering. Scope: local bookworm: resolved (fixed in 3.0~20140825-5) sid: resolved (fixed in 3.0~20140825-5) trixie: resolved (fixed in 3.0~20140825-5)