Source: redmine X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for redmine. CVE-2022-44030[0]: | Redmine 5.x before 5.0.4 allows downloading of file attachments of any | Issue or any Wiki page due to insufficient permission checks. | Depending on the configuration, this may require login as a registered | user. https://www.redmine.org/projects/redmine/wiki/Security_Advisories CVE-2022-44637[1]: | Redmine before 4.2.9 and 5.0.x before 5.0.4 allows persistent XSS in | its Textile formatter due to improper sanitization in Redcloth3 | Textile-formatted fields. Depending on the configuration, this may | require login as a registered user. https://www.redmine.org/projects/redmine/wiki/Security_Advisories CVE-2022-44031[2]: | Redmine before 4.2.9 and 5.0.x before 5.0.4 allows persistent XSS in | its Textile formatter due to improper sanitization of the blockquote | syntax in Textile-formatted fields. https://www.redmine.org/projects/redmine/wiki/Security_Advisories If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-44030 https://www.cve.org/CVERecord?id=CVE-2022-44030 [1] https://security-tracker.debian.org/tracker/CVE-2022-44637 https://www.cve.org/CVERecord?id=CVE-2022-44637 [2] https://security-tracker.debian.org/tracker/CVE-2022-44031 https://www.cve.org/CVERecord?id=CVE-2022-44031 Please adjust the affected versions in the BTS as needed.
