Redmine Unspecified Cross Site Scripting Vulnerability

Bugtraq ID:	30241
Class:	Input Validation Error
CVE:	CVE-2008-4481
Remote:	Yes
Local:	No
Published:	Jul 15 2008 12:00AM
Updated:	May 07 2015 05:27PM
Credit:	Toshiharu Sugiyama of UBsecure, Inc
Vulnerable:	Redmine Redmine 0.7.2
Not Vulnerable:	Redmine Redmine 0.7.3

Redmine Unspecified Cross Site Scripting Vulnerability

Redmine is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

Redmine 0.7.2 and prior versions are vulnerable.

Redmine Unspecified Cross Site Scripting Vulnerability

Attackers can exploit this issue by enticing an unsuspecting victim into following a malicious URI.

Redmine Unspecified Cross Site Scripting Vulnerability

Solution:
The vendor has released an update. Please see the references for more information.


Redmine Redmine 0.7.2

• Redmine redmine-0.7.3.tar.gz
  http://rubyforge.org/frs/download.php/39477/redmine-0.7.3.tar.gz

Redmine Unspecified Cross Site Scripting Vulnerability

References:

• JVN#00945448 Redmine vulnerable to cross-site scripting (Redmine)
  
• Redmine Homepage (Redmine)