Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
4
CVSSv2

CVE-2019-18890

Published: 21/11/2019 Updated: 26/11/2019
CVSS v2 Base Score: 4 | Impact Score: 2.9 | Exploitability Score: 8
CVSS v3 Base Score: 6.5 | Impact Score: 3.6 | Exploitability Score: 2.8
VMScore: 357
Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N
Subscribe to Redmine

Vulnerability Summary

A SQL injection vulnerability in Redmine up to and including 3.2.9 and 3.3.x prior to 3.3.10 allows Redmine users to access protected information via a crafted object query.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

redmine redmine

debian debian linux 9.0

Vendor Advisories

Ubuntu Security Notice: redmine vulnerabilities
Several security issues were fixed in redmine ...
Debian Security Advisories: DSA-4574-1 redmine -- security update
Hoger Just discovered an SQL injection in Redmine, a project management web application In addition a cross-site scripting issue was found in Textile formatting For the oldstable distribution (stretch), these problems have been fixed in version 331-4+deb9u3 We recommend that you upgrade your redmine packages For the detailed security status o ...

Github Repositories

https://github.com/RealLinkers/CVE-2019-17427

CVE-2019-17427 Persistent XSS POC

CVE-2019-17427 CVE-2019-17427 Persistent XSS POC In Redmine before 3411 and 40x before 404, persistent XSS exists due to textile formatting errors The vulnerability essentially exists on any wiki page which by default uses textile formatting You can take advantage of it by using <pre parameter <pre onfocusin=alert("pwnd") tabindex=1 style="

https://github.com/RealLinkers/CVE-2019-18890

CVE-2019-18890 POC (Proof of Concept)

CVE-2019-18890 CVE-2019-18890 POC (Proof of Concept) REDMINE UP TO 329/339 SQL INJECTION nvdnistgov/vuln/detail/CVE-2019-18890 Requirements: Access credentials Subproject is required REST API is enabled On Mysql the first query on which injection occurs looks like the example below with the "-SLEEP(5)" being the injected part: SELECT COUNT(*) FROM issu

References

CWE-89https://www.debian.org/security/2019/dsa-4574https://security-tracker.debian.org/tracker/CVE-2019-18890https://www.redmine.org/projects/redmine/wiki/Security_Advisorieshttps://usn.ubuntu.com/4200-1/https://github.com/RealLinkers/CVE-2019-18890https://seclists.org/bugtraq/2019/Nov/31https://usn.ubuntu.com/4200-1/https://nvd.nist.gov
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-4040privilege escalationCVE-2024-4112CVE-2024-32872man-in-the-middleCVE-2024-32788bypassCVE-2024-3400CVE-2024-28976
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook