1) Multiple errors due to certain attributes not being properly initialized can be exploited to manipulate certain attributes when doing mass assignment and e.g. post news to otherwise restricted projects. 2) Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerabilities are reported in versions prior to 1.3.2. Solution Update to version 1.3.2. Original Advisory: Redmine: http://www.redmine.org/projects/redmine/news http://www.redmine.org/issues/10390
1.3.2 is already in cvs. ebuild.allmasked
(In reply to comment #1) > 1.3.2 is already in cvs. ebuild.allmasked Great, thank you. Closing noglsa for ~arch only package.
CVE-2012-0327 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0327): Cross-site scripting (XSS) vulnerability in Redmine before 1.3.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.