Описание
app/views/timelog/_form.html.erb in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1.2 allows remote attackers to obtain sensitive information about subjects of issues by viewing the time logging form.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| redmine | fixed | 3.2.0-1 | package | |
| redmine | end-of-life | wheezy | package | |
| redmine | end-of-life | squeeze | package |
Примечания
https://www.redmine.org/projects/redmine/wiki/Changelog_3_0
https://www.redmine.org/projects/redmine/wiki/Security_Advisories
https://www.redmine.org/issues/21150 (private)
https://www.openwall.com/lists/oss-security/2015/11/25/1
Commit: https://github.com/redmine/redmine/commit/945a091c94a9ed651f61e225fa8646479478e9d4
Commit: https://github.com/redmine/redmine/commit/c096dde88ff02872ba35edc4dc403c80a7867b5c
For squeeze, the bug is in app/views/timelog/edit.rhtml
upstream fixed in 2.6.8, 3.0.6 and 3.1.2
Связанные уязвимости
app/views/timelog/_form.html.erb in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1.2 allows remote attackers to obtain sensitive information about subjects of issues by viewing the time logging form.
app/views/timelog/_form.html.erb in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1.2 allows remote attackers to obtain sensitive information about subjects of issues by viewing the time logging form.
app/views/timelog/_form.html.erb in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1.2 allows remote attackers to obtain sensitive information about subjects of issues by viewing the time logging form.