Persistent XSS Vulnerability in Redmine Affects Multiple Versions
CVE-2019-17427

6.1MEDIUM

Key Information:

Vendor

Redmine

Status
Redmine
Vendor
CVE Published:
10 October 2019

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2019-17427?

A persistent Cross-Site Scripting vulnerability has been identified in Redmine versions earlier than 3.4.11 and in 4.0.x prior to 4.0.4. This vulnerability arises from errors in textile formatting, allowing an attacker to inject malicious scripts that could be stored and executed on clients' browsers. Exploiting this flaw could result in unauthorized actions being performed on behalf of authenticated users, potentially leading to data theft or manipulation. Organizations using the affected versions are strongly advised to update to the latest secure release to mitigate the risks associated with this vulnerability.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2019-17427
Created by RealLinkers

References

https://www.redmine.org/projects/redmine/wiki/Security_Ad...
x_refsource_MISC
https://www.debian.org/security/2019/dsa-4574
vendor-advisoryx_refsource_DEBIAN
https://seclists.org/bugtraq/2019/Nov/31
mailing-listx_refsource_BUGTRAQ

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.