Vulnerabilities > CVE-2015-8474 - Open Redirection vulnerability in Redmine

047910
CVSS 5.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
NONE
network
debian
redmine
nessus

Summary

Open redirect vulnerability in the valid_back_url function in app/controllers/application_controller.rb in Redmine before 2.6.7, 3.0.x before 3.0.5, and 3.1.x before 3.1.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a crafted back_url parameter, as demonstrated by "@attacker.com," a different vulnerability than CVE-2014-1985. <a href="http://cwe.mitre.org/data/definitions/601.html">CWE-601: URL Redirection to Untrusted Site ('Open Redirect')</a>

Vulnerable Configurations

Part Description Count
OS
Debian
2
Application
Redmine
110

Nessus

  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_3EC2E0BC9ED711E58F5C002590263BF5.NASL
    descriptionRedmine reports : Open Redirect vulnerability.
    last seen2020-06-01
    modified2020-06-02
    plugin id87293
    published2015-12-10
    reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87293
    titleFreeBSD : redmine -- open redirect vulnerability (3ec2e0bc-9ed7-11e5-8f5c-002590263bf5)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3529.NASL
    descriptionMultiple vulnerabilities have been found in Redmine, a project management web application, which may result in information disclosure.
    last seen2020-06-01
    modified2020-06-02
    plugin id90127
    published2016-03-24
    reporterThis script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90127
    titleDebian DSA-3529-1 : redmine - security update