"Hi This is a heads up about a public, unpatched XSS vulnerability in Redmine 4.1. About 3 months ago, a public issue [1] has been reported in the Redmine bug tracker regarding unsanitized HTML tags. This basically means that you can inject any HTML code in issue titles, including JavaScript. I've successfully verified this on Redmine 4.1. There's a (untested) patch attached in the issue. I've also sent this to the Redmine security team but since there was no response from the maintainers so far and the issue is already public for a long time I'm posting this here to make people aware of it. Best regards [1] https://redmine.org/issues/33846"
Post to oss-security: https://www.openwall.com/lists/oss-security/2020/11/19/4
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5fcdd4cb5e8fdb1ecd2c3cd4138b8b004d30ea1e commit 5fcdd4cb5e8fdb1ecd2c3cd4138b8b004d30ea1e Author: Azamat H. Hackimov <azamat.hackimov@gmail.com> AuthorDate: 2021-03-27 13:45:13 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2021-04-09 12:20:56 +0000 www-apps/redmine: update to 4.1.2 Bug: https://bugs.gentoo.org/755836 Closes: https://bugs.gentoo.org/778275 Package-Manager: Portage-3.0.13, Repoman-3.0.2 Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com> Signed-off-by: Joonas Niilola <juippis@gentoo.org> www-apps/redmine/Manifest | 1 + www-apps/redmine/redmine-4.1.2.ebuild | 231 ++++++++++++++++++++++++++++++++++ 2 files changed, 232 insertions(+)
Thanks! All done.