Cross-Site Scripting Vulnerability in Redmine by Redmine Project
CVE-2020-36306

6.1MEDIUM

Key Information:

Vendor

Redmine

Status
Redmine
Vendor
CVE Published:
6 April 2021

What is CVE-2020-36306?

An XSS vulnerability exists in Redmine versions prior to 4.0.7 and 4.1.x before 4.1.1, allowing attackers to exploit the back_url field. This flaw may permit an attacker to inject malicious scripts, potentially compromising user data and session integrity. It is critical for users to upgrade to the patched versions to mitigate any associated risks. For further information, refer to the official security advisory and associated updates.

References

https://www.redmine.org/projects/redmine/wiki/Security_Ad...
x_refsource_MISC
https://lists.debian.org/debian-lts-announce/2021/05/msg0...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.