Project

General

Profile

Actions

Security Advisories » History » Revision 20

« Previous | Revision 20/77 (diff) | Next »
Jean-Philippe Lang, 2015-12-05 09:53


Redmine Security Advisories

This page lists the security vulnerabilities that were fixed in Redmine releases, starting from 1.3.0. If you think that you've found a security vulnerability, please report it by sending an email to: security(at)redmine.org.

Severity Details Affected versions Fixed versions
Moderate Data disclosure in atom feed All prior releases 2.6.9, 3.0.7 and 3.1.3
Moderate Data disclosure on the time logging form All prior releases 2.6.8, 3.0.6 and 3.1.2
Moderate Open Redirect vulnerability 2.5.1 to 2.6.6, 3.0.0 to 3.0.4 and 3.1.0 2.6.7, 3.0.5 and 3.1.1
Low Potential XSS vulnerability when rendering some flash messages All prior releases 2.6.2 and 3.0.0
Moderate Potential data leak (project names) in the invalid form authenticity token error screen All prior releases 2.4.6 and 2.5.2
Moderate Open Redirect vulnerability (referenced as JVN#93004610, CVE-2014-1985) All prior releases 2.4.5 and 2.5.1
Critical Ruby on Rails vulnerability (announcement) All releases prior to 2.2.4 2.2.4, 2.3.0
Critical Ruby on Rails vulnerability (announcement) All releases prior to 2.2.3 2.2.3
Critical Ruby on Rails vulnerability (announcement) All releases prior to 2.2.1 and 2.1.6 Fix for 1.4.7
Critical Ruby on Rails vulnerability (announcement) All releases prior to 2.2.1 and 2.1.6 1.4.7
Critical Ruby on Rails vulnerability (announcement) All prior releases 2.2.1, 2.1.6, 1.4.6
Moderate XSS vulnerability 2.1.0 and 2.1.1 2.1.2
High Persistent XSS vulnerability (referenced as JVN#93406632, CVE-2012-0327) All prior releases 1.3.2
Moderate Mass-assignemnt vulnerability that would allow an attacker to bypass part of the security checks All prior releases 1.3.2
High Vulnerability that would allow an attacker to bypass the CSRF protection All prior releases 1.3.0

Updated by Jean-Philippe Lang over 8 years ago · 20 revisions locked