CVE-2019-17427

MEDIUM

Redmine < 3.4.11 and 4.0.x < 4.0.4 - Stored Cross-Site Scripting via Textile Formatting

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-17427. PoCs published by RealLinkers.

AI-analyzed exploit summary The repository provides a functional proof-of-concept for a persistent XSS vulnerability in Redmine versions before 3.4.11 and 4.0.x before 4.0.4. The exploit leverages textile formatting errors by injecting malicious JavaScript via the <pre> tag with an onfocusin event handler.

Description

In Redmine before 3.4.11 and 4.0.x before 4.0.4, persistent XSS exists due to textile formatting errors.

Exploits (1)

nomisec WORKING POC 1 stars
by RealLinkers · poc
https://github.com/RealLinkers/CVE-2019-17427

The repository provides a functional proof-of-concept for a persistent XSS vulnerability in Redmine versions before 3.4.11 and 4.0.x before 4.0.4. The exploit leverages textile formatting errors by injecting malicious JavaScript via the <pre> tag with an onfocusin event handler.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Redmine before 3.4.11 and 4.0.x before 4.0.4
Auth required
Prerequisites: Access to a wiki page with textile formatting enabled
MITRE ATT&CK
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (5)

Core 5
Core References
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2019/dsa-4574
Mailing List mailing-list x_refsource_bugtraq
https://seclists.org/bugtraq/2019/Nov/31
Vendor Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4200-1/
Various Sources x_refsource_misc
https://github.com/RealLinkers/CVE-2019-17427

Scores

CVSS v3 6.1
EPSS 0.0183
EPSS Percentile 83.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
redmine/redmine < 3.4.11
Published Oct 10, 2019
Tracked Since Feb 18, 2026