| CVE-2021-31866 |
Medium |
Yes |
Information disclosure |
Redmine before 4.1.3 allows an attacker to learn the values of internal authentication keys by observing timing differences in string comparison operations... |
| CVE-2021-31865 |
Medium |
Yes |
Arbitrary file upload |
Redmine before 4.2.1 allows users to circumvent the allowed filename extensions of uploaded attachments. |
| CVE-2021-31864 |
Low |
Yes |
Access restriction bypass |
Redmine before 4.2.1 allows attackers to bypass the add_issue_notes permission requirement by leveraging the incoming mail handler. |
| CVE-2021-31863 |
Critical |
Yes |
Arbitrary filesystem access |
Insufficient input validation in the Git repository integration of Redmine before 4.2.1 allows Redmine users to read arbitrary local files accessible by the... |
| CVE-2021-30164 |
High |
Yes |
Access restriction bypass |
Redmine before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by leveraging the Issues API. |
| CVE-2021-30163 |
Medium |
Yes |
Information disclosure |
Redmine before 4.1.2 allows attackers to discover the names of private projects if issue-journal details exist that have changes to project_id values. |
| CVE-2021-29274 |
High |
Yes |
Cross-site scripting |
Redmine 4.1.x before 4.1.2 allows cross-site scripting (XSS) because an issue's subject is mishandled in the auto complete tip. |