Actions
Security Advisories » History » Revision 91
« Previous |
Revision 91/94
(diff)
| Next »
Holger Just, 2026-01-06 23:29
Set severities of recent vulnerabilities, update issue reference
Redmine Security Advisories¶
This page lists the security vulnerabilities that were fixed in Redmine releases, starting from 1.3.0. If you think that you've found a security vulnerability, please report it by sending an email to: security(at)redmine.org.
To detect if your own Redmine is subject to any of these vulnerabilities, you can use Planio's Redmine Security Scanner.
| Severity | Details | External references | Credits | Affected versions | Fixed versions |
|---|---|---|---|---|---|
| Moderate | Authorization bypass in Redmine allows deletion of attachments on invisible issues (#43635) | Albor | All prior releases since 4.1.5 | 6.1.1, 6.0.8 and 5.1.11 | |
| Moderate | Authorization bypass in Redmine allows modification of attachment metadata on invisible issues (#43634) | Albor | All prior releases since 3.3.0 | 6.1.1, 6.0.8 and 5.1.11 | |
| Critical | PostScript disguised as PDF can lead to arbitrary file operations via thumbnail generation (#43451) | Elweth from YesWeHack | All prior releases since 4.2.0 | 6.1.1, 6.0.8 and 5.1.11 | |
| High | Information disclosure in Two-Factor Authentication (#43083) | Elysee Franchuk | All prior releases since 4.1.0 | 6.0.7, 5.1.10 and 5.0.14 | |
| Moderate | Information disclusure when copying issues (#43161) | Holger Just of Planio (Holger Just) | All prior releases | 6.0.7, 5.1.10 and 5.0.14 | |
| Low | Username and password stored in login form (#42998) | David Rubio Lora | All prior releases | 6.0.7, 5.1.10 and 5.0.14 | |
| Low | net-imap vulnerability (#42662) | CVE-2025-43857 | Koya Masuda (Koya Masuda) | All prior releases | 6.0.6, 5.1.9 and 5.0.13 |
| High | ProjectQuery leaks details of private projects (#42352) | XBOW Security Team | All prior releases since 5.1.0 | 6.0.4 and 5.1.7 | |
| High | XSS in custom query (#42238) | Hau Van (Hau Van) | 6.0.0 - 6.0.3 | 6.0.4 | |
| High | XSS in macros (#42326) | Elweth | All prior releases since 5.1.0 | 6.0.4 and 5.1.7 | |
| Moderate | /my/account does not correctly enforce sudo mode (#42194) | Jens Krämer of Planio (Jens Krämer) | All prior releases since 4.1.0 | 6.0.4, 5.1.7 and 5.0.12 | |
| Low | Nokogiri vulnerabilities (#42333) | GHSA-vvfq-8hwr-qm4m | All prior releases | 6.0.4, 5.1.7 and 5.0.12 | |
| Moderate | Insufficient permission check with watchers: the "Add watchers" permission effectively also granted "View watchers" (#40946) | CVE-2024-47225 | Jens Krämer of Planio (Jens Krämer), Felix Schäfer of Planio (Felix Schäfer) | All prior releases | 5.1.4 and 5.0.10 |
| High | XSS in Textile formatter (#38807) | CVE-2023-47259, JVN#13618065 | Shiga Takuma of BroadBand Security, Inc., JPCERT/CC | All prior releases | 5.0.6 and 4.2.11 |
| High | XSS in Markdown formatter (#38806) | CVE-2023-47258 | Sam Bagheri | All prior releases | 5.0.6 and 4.2.11 |
| High | XSS Vulnerability in Thumbnails (#38417) | CVE-2023-47260 | An anonymous researcher | All prior releases | 5.0.6 and 4.2.11 |
| Moderate | Insufficient permission checks when adding attachments to issues (#38297) | Holger Just of Planio (Holger Just) | All prior releases | 5.0.5 and 4.2.10 | |
| Low | Avoid double-render error with ApplicationController#find_optional_project (#38063) | Holger Just of Planio (Holger Just) | All prior releases | 5.0.5 and 4.2.10 | |
| Critical | Access Control Issue in attachments#download_all (#37772) | CVE-2022-44030 | Robert Dick | 5.0.0 - 5.0.3 | 5.0.4 |
| High | Persistent XSS in textile formatting due to blockquote citation (#37751) | CVE-2022-44031 | Frans Rosén | All prior releases | 5.0.4 and 4.2.9 |
| High | Redmine contains a cross-site scripting vulnerability (#37767) | CVE-2022-44637, JVN#60211811 | Shiga Takuma of BroadBand Security, Inc., JPCERT/CC | All prior releases | 5.0.4 and 4.2.9 |
| Moderate | Open Redirect in attachments#download_all (#37880) | Holger Just of Planio (Holger Just) | All prior releases since 4.2.0 | 5.0.4 and 4.2.9 | |
| Moderate | Unbounded resource exhaustion in cmark-gfm autolink extension may lead to denial of service (#37872) | CVE-2022-39209 | 5.0.0 - 5.0.3 | 5.0.4 | |
| Moderate | no-permission-check allows issue creation in closed/archived projects (#37187) | Felix Schäfer of Planio (Felix Schäfer) | All prior releases | 5.0.2 and 4.2.7 | |
| High | Information Leak in QueryAssociationColumn and QueryAssociationCustomFieldColumn (#37255) | Felix Schäfer of Planio (Felix Schäfer) | All prior releases since 3.4.0 | 5.0.2 and 4.2.7 | |
| High | Remote code execution in commonmarker gem (#37136) |
CVE-2022-24724 | 5.0.0 and 5.0.1 | 5.0.2 | |
| Moderate | 3 XSS security vulnerabilities in jQuery UI < v1.13.0 (#37256) | CVE-2021-41182, CVE-2021-41183, CVE-2021-41184 | All prior releases | 5.0.2 and 4.2.7 | |
| Moderate | Ruby on Rails vulnerability (announcement) | CVE-2022-22577, CVS-2022-27777 | All prior releases | 5.0.1 and 4.2.6 | |
| Moderate | Ruby on Rails vulnerability (announcement) | CVE-2022-23633 | All Redmine 4.* versions | 4.2.4 and 4.1.6 | |
| Moderate | Activities index view is leaking usernames (#35789) | CVE-2021-42326 | Mischa The Evil (Mischa The Evil) | All prior releases | 4.2.3 and 4.1.5 |
| Low | User sessions not reset after activation of two-factor authentication (#35417) | CVE-2021-37156 | Felix Schäfer of Planio (Felix Schäfer) | 4.2.0 and 4.2.1 | 4.2.2 |
| High | Ruby on Rails vulnerabilities (announcement) | CVE-2021-22885, CVE-2021-22904 | All prior releases | 4.2.2 and 4.1.4 | |
| Low | Mail handler bypasses add_issue_notes permission (#35045) | CVE-2021-31864 | Holger Just of Planio (Holger Just) | All prior releases since 3.3.0 | 4.2.1, 4.1.3 and 4.0.9 |
| Moderate | Allowed filename extensions of attachments can be circumvented (#34367) | CVE-2021-31865 | Bartu Ogur | All prior releases | 4.2.1, 4.1.3 and 4.0.9 |
| Critical | Arbitrary file read in Git adapter (#35085) | CVE-2021-31863 | niubl of TSRC (Tencent Security Response Center) | All prior releases | 4.2.1, 4.1.3 and 4.0.9 |
| Moderate | SysController and MailHandlerController are vulnerable to timing attack (#34950) | CVE-2021-31866 | wonda-tea-coffee | All prior releases to 4.2.0 | 4.2.0, 4.1.3 and 4.0.9 |
| High | Inline issue auto complete doesn't sanitize HTML tags (#33846) | CVE-2021-29274 | Fernando Hartmann (Fernando Hartmann) | 4.1.0 and 4.1.1 | 4.1.2 and 4.0.8 |
| Moderate | Names of private projects are leaked by issue journal details that contain project_id changes (#33360) | CVE-2021-30163 | Mischa The Evil (Mischa The Evil) | All prior releases | 4.1.2 and 4.0.8 |
| High | Issues API bypasses add_issue_notes permission (#33689) | CVE-2021-30164 | Mizuki ISHIKAWA (Mizuki ISHIKAWA) | All prior releases since 3.3.0 | 4.1.2 and 4.0.8 |
| High | Ruby on Rails vulnerabilities (rails 5.2.4.3, rails 5.2.4.5) | CVE-2020-8162, CVE-2020-8164, CVE-2020-8165, CVE-2020-8166, CVE-2020-8167, CVE-2021-22880, CVE-2021-22881 | All prior releases | 4.1.2 and 4.0.8 | |
| Moderate | XSS vulnerability due to missing back_url validation (#32850) | CVE-2020-36306 | Nakayama DAISUKE | All prior releases | 4.1.1 and 4.0.7 |
| High | Persistent XSS vulnerabilities in textile inline links (#32934) | CVE-2020-36307 | Maik Stegemann | All prior releases | 4.1.1 and 4.0.7 |
| Moderate | Time entries CSV export may disclose subjects of issues that are not visible (#33075) | CVE-2020-36308 | Mizuki ISHIKAWA (Mizuki ISHIKAWA) | All prior releases | 4.1.1 and 4.0.7 |
| Moderate | Improper markup sanitization in Textile formatting (#25742) | CVE-2019-25026 | Holger Just of Planio (Holger Just) | All prior releases | 4.0.6 and 3.4.13 |
| Critical | SQL injection (#32374) | CVE-2019-18890 | Holger Just of Planio (Holger Just) | Redmine <= 3.3.9 | 3.3.10 |
| High | Persistent XSS in textile formatting (#31520) | CVE-2019-17427 | Глеб Будило | All prior releases | 3.4.11 and 4.0.4 |
| Critical | Ruby on Rails vulnerabilities (announcement) | CVE-2019-5418, CVE-2019-5419, CVE-2019-5420 | All prior releases | 3.4.10 and 4.0.3 | |
| High | Remote command execution through mercurial adapter (#27516) | CVE-2017-18026 | Yuya Nishihara | All prior releases | 3.2.9, 3.3.6 and 3.4.4 |
| High | Multiple XSS vulnerabilities (#27186) | CVE-2017-15568, CVE-2017-15569, CVE-2017-15570, CVE-2017-15571 | Andi Fink | All prior releases | 3.2.8, 3.3.5 and 3.4.3 |
| Low | Email reminders reveal information about inaccessible issues (#25713) | CVE-2017-16804 | Felix Schäfer of Planio (Felix Schäfer) | All prior releases | 3.2.7, 3.3.4 and 3.4.0 |
| Moderate | Improper markup sanitization in wiki content (#25503) | CVE-2017-15573 | Nikita | All prior releases | 3.2.6 and 3.3.3 |
| Moderate | Use redirect on /account/lost_password to prevent password reset tokens in referers (#24416) | CVE-2017-15572 | Felix Schäfer of Planio (Felix Schäfer) | All prior releases | 3.2.6 and 3.3.3 |
| Moderate | Redmine.pm doesn't check that the repository module is enabled on project (#24307) | CVE-2017-15575 | Holger Just of Planio (Holger Just) | All prior releases | 3.2.6 and 3.3.3 |
| High | Stored XSS with SVG attachments (#24199) | CVE-2017-15574 | Faisal ait hamou | All prior releases | 3.2.6 and 3.3.3 |
| Moderate | Information leak when rendering Time Entry on activity view (#23803) | CVE-2017-15576 | Holger Just of Planio (Holger Just) | All prior releases | 3.2.6 and 3.3.3 |
| Moderate | Information leak when rendering Wiki links (#23793) | CVE-2017-15577 | Holger Just of Planio (Holger Just) | All prior releases | 3.2.6 and 3.3.3 |
| High | Persistent XSS vulnerabilities in text formatting (Textile and Markdown) and project homepage (#22924, #22925, #22926) | CVE-2016-10515 | Olga Yanushkevich from ERNW GmbH | All prior releases | 3.2.3 |
| Critical | ImageMagick vulnerabilities | CVE-2016-3714, ImageTragick | All prior releases since 2.1.0 | 3.1.5 and 3.2.2 | |
| Moderate | Data disclosure in atom feed (#21419) | CVE-2015-8537 | Jens Krämer of Planio (Jens Krämer) | All prior releases | 2.6.9, 3.0.7 and 3.1.3 |
| Moderate | Potential changeset message disclosure in issues API (#21136) | CVE-2015-8473 | Felix Schäfer of Planio (Felix Schäfer) | All prior releases | 2.6.8, 3.0.6 and 3.1.2 |
| Moderate | Data disclosure on the time logging form (#21150) | CVE-2015-8346 | Holger Just of Planio (Holger Just) | All prior releases | 2.6.8, 3.0.6 and 3.1.2 |
| Moderate | Open Redirect vulnerability (#19577) | CVE-2015-8474 | Holger Just of Planio (Holger Just) | 2.5.1 to 2.6.6, 3.0.0 to 3.0.4 and 3.1.0 | 2.6.7, 3.0.5 and 3.1.1 |
| Low | Potential XSS vulnerability when rendering some flash messages (#19117) | CVE-2015-8477 | Holger Just of Planio (Holger Just) | All prior releases | 2.6.2 and 3.0.0 |
| Moderate | Potential data leak (project names) in the invalid form authenticity token error screen (#16511) | Buntaro Orita (Buntaro Orita) | All prior releases | 2.4.6 and 2.5.2 | |
| Moderate | Open Redirect vulnerability (#16466) | JVN#93004610, CVE-2014-1985 | All prior releases | 2.4.5 and 2.5.1 | |
| Critical | Ruby on Rails vulnerability (announcement) | All releases prior to 2.2.4 | 2.2.4, 2.3.0 | ||
| Critical | Ruby on Rails vulnerability (announcement) | All releases prior to 2.2.3 | 2.2.3 | ||
| Critical | Ruby on Rails vulnerability (announcement) | CVE-2013-0333 | All releases prior to and including 1.4.7 | Fix for 1.4.7 | |
| Critical | Ruby on Rails vulnerability (announcement) | CVE-2013-0155 | All prior releases | 2.2.1, 2.1.6, 1.4.7 | |
| Critical | Ruby on Rails vulnerability (announcement) | CVE-2013-0156 | All prior releases | 2.2.1, 2.1.6, 1.4.6 | |
| Moderate | XSS vulnerability (#11929) | Jonathan Tietz | 2.1.0 and 2.1.1 | 2.1.2 | |
| High | Persistent XSS vulnerability | JVN#93406632, CVE-2012-0327 | Kousuke Ebihara, JPCERT/CC | All prior releases | 1.3.2 |
| Moderate | Mass-assignemnt vulnerability that would allow an attacker to bypass part of the security checks (#10390) | John Yani (John Yani), Jean-Philippe Lang (Jean-Philippe Lang) | All prior releases | 1.3.2 | |
| High | Vulnerability that would allow an attacker to bypass the CSRF protection | All prior releases | 1.3.0 |
Updated by Holger Just about 1 month ago · 91 revisions locked