| Bug | Description |
|---|
| TEMP-0000000-838979 | Escape href attribute in auto links |
| TEMP-0000000-56C871 | Fixes permission check in QueriesController |
| CVE-2021-37156 | Redmine 4.2.0 and 4.2.1 allow existing user sessions to continue upon ... |
| CVE-2021-29274 | Redmine 4.1.x before 4.1.2 allows XSS because an issue's subject is mi ... |
| CVE-2020-36308 | Redmine before 4.0.7 and 4.1.x before 4.1.1 allows attackers to discov ... |
| CVE-2020-36307 | Redmine before 4.0.7 and 4.1.x before 4.1.1 has stored XSS via textile ... |
| CVE-2020-36306 | Redmine before 4.0.7 and 4.1.x before 4.1.1 has XSS via the back_url f ... |
| CVE-2019-25026 | Redmine before 3.4.13 and 4.x before 4.0.6 mishandles markup data duri ... |
| CVE-2019-18890 | A SQL injection vulnerability in Redmine through 3.2.9 and 3.3.x befor ... |
| CVE-2019-17427 | In Redmine before 3.4.11 and 4.0.x before 4.0.4, persistent XSS exists ... |
| CVE-2017-18026 | Redmine before 3.2.9, 3.3.x before 3.3.6, and 3.4.x before 3.4.4 does ... |
| CVE-2017-16804 | In Redmine before 3.2.7 and 3.3.x before 3.3.4, the reminders function ... |
| CVE-2017-15577 | Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles the rendering o ... |
| CVE-2017-15576 | Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles Time Entry rend ... |
| CVE-2017-15575 | In Redmine before 3.2.6 and 3.3.x before 3.3.3, Redmine.pm lacks a che ... |
| CVE-2017-15574 | In Redmine before 3.2.6 and 3.3.x before 3.3.3, stored XSS is possible ... |
| CVE-2017-15573 | In Redmine before 3.2.6 and 3.3.x before 3.3.3, XSS exists because mar ... |
| CVE-2017-15572 | In Redmine before 3.2.6 and 3.3.x before 3.3.3, remote attackers can o ... |
| CVE-2017-15571 | In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, X ... |
| CVE-2017-15570 | In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, X ... |
| CVE-2017-15569 | In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, X ... |
| CVE-2017-15568 | In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, X ... |
| CVE-2016-10515 | In Redmine before 3.2.3, there are stored XSS vulnerabilities affectin ... |
| CVE-2015-8537 | app/views/journals/index.builder in Redmine before 2.6.9, 3.0.x before ... |
| CVE-2015-8477 | Cross-site scripting (XSS) vulnerability in Redmine before 2.6.2 allow ... |
| CVE-2015-8474 | Open redirect vulnerability in the valid_back_url function in app/cont ... |
| CVE-2015-8473 | The Issues API in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x ... |
| CVE-2015-8346 | app/views/timelog/_form.html.erb in Redmine before 2.6.8, 3.0.x before ... |
| CVE-2014-1985 | Open redirect vulnerability in the redirect_back_or_default function i ... |
| CVE-2012-2054 | Redmine before 1.3.2 does not properly restrict the use of a hash to p ... |
| CVE-2012-0327 | Cross-site scripting (XSS) vulnerability in Redmine before 1.3.2 allow ... |
| CVE-2011-4929 | Unspecified vulnerability in the bazaar repository adapter in Redmine ... |
| CVE-2011-4928 | Cross-site scripting (XSS) vulnerability in the textile formatter in R ... |
| CVE-2011-4927 | Unspecified vulnerability in the bazaar repository adapter in Redmine ... |
| CVE-2009-4459 | Redmine 0.8.7 and earlier uses the title tag before defining the chara ... |
| CVE-2009-4079 | Cross-site request forgery (CSRF) vulnerability in Redmine 0.8.5 and e ... |
| CVE-2009-4078 | Multiple cross-site scripting (XSS) vulnerabilities in Redmine 0.8.5 a ... |