This is a heads up about a public, unpatched XSS vulnerability in
About 3 months ago, a public issue  has been reported in the Redmine
bug tracker regarding unsanitized HTML tags. This basically means that
I've successfully verified this on Redmine 4.1. There's a (untested)
patch attached in the issue.
I've also sent this to the Redmine security team but since there was no
response from the maintainers so far and the issue is already public for
a long time I'm posting this here to make people aware of it.
Post to oss-security: https://www.openwall.com/lists/oss-security/2020/11/19/4
The bug has been referenced in the following commit(s):
Author: Azamat H. Hackimov <email@example.com>
AuthorDate: 2021-03-27 13:45:13 +0000
Commit: Joonas Niilola <firstname.lastname@example.org>
CommitDate: 2021-04-09 12:20:56 +0000
www-apps/redmine: update to 4.1.2
Package-Manager: Portage-3.0.13, Repoman-3.0.2
Signed-off-by: Azamat H. Hackimov <email@example.com>
Signed-off-by: Joonas Niilola <firstname.lastname@example.org>
www-apps/redmine/Manifest | 1 +
www-apps/redmine/redmine-4.1.2.ebuild | 231 ++++++++++++++++++++++++++++++++++
2 files changed, 232 insertions(+)
Thanks! All done.