Cross-Site Scripting in Redmine 4.1.x Due to Auto Complete Mishandling
CVE-2021-29274

6.1MEDIUM

Key Information:

Vendor

Redmine

Status
Redmine
Vendor
CVE Published:
29 March 2021

What is CVE-2021-29274?

Redmine versions prior to 4.1.2 are susceptible to a Cross-Site Scripting (XSS) vulnerability where the mishandling of an issue's subject in the auto-complete feature could allow an attacker to execute arbitrary JavaScript code in the context of the user's session. This could lead to unauthorized actions, data theft, or other security exploits. Users are advised to upgrade to the latest version to mitigate this risk.

References

https://www.redmine.org/projects/redmine/wiki/Security_Ad...
x_refsource_MISC
https://www.redmine.org/issues/33846
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.