Jean-Philippe Lang

5 exploits Active since Oct 2017
CVE-2017-15568 WRITEUP MEDIUM WRITEUP
Redmine < 3.2.8, 3.3.x < 3.3.5, 3.4.x < 3.4.3 - Cross-Site Scripting via Multi-Value Field in Issue History
In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/helpers/application_helper.rb via a multi-value field with a crafted value that is mishandled during rendering of issue history.
CVSS 6.1
CVE-2017-15569 WRITEUP MEDIUM WRITEUP
Redmine < 3.2.8, 3.3.x < 3.3.5, 3.4.x < 3.4.3 - Cross-Site Scripting via Multi-Value Field in Issue List
In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/helpers/queries_helper.rb via a multi-value field with a crafted value that is mishandled during rendering of an issue list.
CVSS 6.1
CVE-2017-15570 WRITEUP MEDIUM WRITEUP
Redmine < 3.2.8, 3.3.x < 3.3.5, 3.4.x < 3.4.3 - Cross-Site Scripting via Timelog Column Data
In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/views/timelog/_list.html.erb via crafted column data.
CVSS 6.1
CVE-2017-15571 WRITEUP MEDIUM WRITEUP
Redmine < 3.2.8, 3.3.x < 3.3.5, 3.4.x < 3.4.3 - Cross-Site Scripting via Crafted Column Data
In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/views/issues/_list.html.erb via crafted column data.
CVSS 6.1
CVE-2017-16804 WRITEUP MEDIUM WRITEUP
Redmine <3.2.7 & <3.3.4 - Info Disclosure
In Redmine before 3.2.7 and 3.3.x before 3.3.4, the reminders function in app/models/mailer.rb does not check whether an issue is visible, which allows remote authenticated users to obtain sensitive information by reading e-mail reminder messages.
CVSS 4.3