Redmine : Security Vulnerabilities, CVEs, CVSS score >= 8
Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by leveraging the Issues API.
Max CVSS
9.8
EPSS Score
0.14%
Published
2021-04-06
Updated
2021-06-02
Redmine before 3.2.9, 3.3.x before 3.3.6, and 3.4.x before 3.4.4 does not block the --config and --debugger flags to the Mercurial hg program, which allows remote attackers to execute arbitrary commands (through the Mercurial adapter) via vectors involving a branch whose name begins with a --config= or --debugger= substring, a related issue to CVE-2017-17536.
Max CVSS
8.8
EPSS Score
0.73%
Published
2018-01-10
Updated
2019-10-03
2 vulnerabilities found