Redmine Security Report for version 4.2.10

Redmine 4.2.10 was released about 1 year ago on March 06, 2023. It is subject to 4 known vulnerabilities.

We strongly recommend you update your Redmine to the latest version.

Not enough time to keep Redmine secure?
Move to Professionally Hosted Redmine by Planio.

Detailed Analysis

Cross-Site Scripting (XSS)

By exploiting an XSS vulnerability an attacker may take over your login sessions and do anything your user account would be allowed to do. If they can lure an adminstrator into their trap, they would have access to all the data stored within Redmine, enabling them to read, change and delete everything.
XSS in Markdown formatter

High

By submitting crafted markup to a Redmine which is configured to use the legacy Markdown formatter, an attacker can inject malicious JavaScript code into submitted Markdown text. Depending on the Redmine configuration, this may require prior login with a registered user.

Fixed in: 4.2.11, 5.0.6 More details: CVE-2023-47258
XSS in Textile formatter

High

By submitting crafted markup to a Redmine which is configured to use Textile formatting, an attacker can inject malicious JavaScript code into submitted Textile text. Depending on the Redmine configuration, this may require prior login with a registered user.

Fixed in: 4.2.11, 5.0.6 More details: CVE-2023-47259
XSS in image thumbnails

High

By submitting specifically crafted image attachments to a Redmine, an attacker may inject malicious JavaScript code into Redmine which may be executed within the Redmine origin. Depending on the Redmine configuration, this may require prior login with a registered user.

Fixed in: 4.2.11, 5.0.6 More details: CVE-2023-47260

Denial of Service (DOS)

In a Denial of Service attack, your Redmine becomes compromised in a way that it does not function properly anymore. Using a Denial of Service vulnerability, attackers may not necessarily obtain or modify any data on the server, but they may render it unresponsive for users or disrupt certain functionality of your Redmine installation.
Update packaged libxml2 in Nokogiri

Moderate

Updates in the packaged dependencies libxml2 (to 2.10.4) of Nokogiri addresses various security issues, having multiple and partially unspecified impact including dereferencing NULL pointers and potentially segfaulting while parsing untrusted inputs, as well as various logic or memory errors, including double frees. Updates for Nokogiri are available when using Ruby 2.7 or newer.

Fixed in: 4.2.11, 5.0.6 More details: CVE-2023-29469, CVE-2023-28484