Published: 30/12/2009 Updated: 17/08/2017

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

VMScore: 383

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Redmine 0.8.7 and previous versions uses the title tag before defining the character encoding in a meta tag, which allows remote malicious users to conduct cross-site scripting (XSS) attacks and inject arbitrary script via UTF-7 encoded values in the title parameter to a new issue page, which may be interpreted as script by Internet Explorer 7 and 8.

Vulnerable Product	Search on Vulmon	Subscribe to Product
redmine redmine 0.4.2
redmine redmine 0.5.0
redmine redmine 0.8.4
redmine redmine 0.8.3
redmine redmine 0.2.2
redmine redmine 0.7.4
redmine redmine 0.6.3
redmine redmine 0.4.1
redmine redmine 0.7.0
redmine redmine 0.7.1
redmine redmine 0.1.0
redmine redmine 0.2.1
redmine redmine 0.8.0
redmine redmine
redmine redmine 0.6.0
redmine redmine 0.5.1
redmine redmine 0.7.2
redmine redmine 0.3.0
redmine redmine 0.8.2
redmine redmine 0.7.3
redmine redmine 0.6.1
redmine redmine 0.6.2
redmine redmine 0.6.4
redmine redmine 0.4.0
redmine redmine 0.8.1
redmine redmine 0.8.6
redmine redmine 0.8.5

Debian Bug report logs - #563940 CVE-2009-4459: uses the title tag before defining the character encoding in a meta tag Package: redmine; Maintainer for redmine is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Source for redmine is src:redmine (PTS, buildd, popcon) Reported by: Giusepp ...

CWE-79 http://www.securityfocus.com/bid/37425 http://www.exploit-db.com/exploits/10554 https://exchange.xforce.ibmcloud.com/vulnerabilities/54947 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=563940 https://nvd.nist.gov

CVE-2009-4459

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect