CVE-2012-2054

EUVD-2012-2060

05.04.2012, 14:55

Redmine before 1.3.2 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set attributes in the (1) Comment, (2) Document, (3) IssueCategory, (4) MembersController, (5) Message, (6) News, (7) TimeEntry, (8) Version, (9) Wiki, (10) UserPreference, or (11) Board model via a modified URL, related to a "mass assignment" vulnerability, a different vulnerability than CVE-2012-0327.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5 UNKNOWN	NETWORK	LOW		AV:N/AC:L/Au:N/C:N/I:P/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 50%

Affected Products (NVD)

Vendor	Product	Version
redmine	redmine	𝑥 ≤ 1.3.1
redmine	redmine	0.1.0
redmine	redmine	0.2.1
redmine	redmine	0.2.2
redmine	redmine	0.3.0
redmine	redmine	0.4.0
redmine	redmine	0.4.1
redmine	redmine	0.4.2
redmine	redmine	0.5.0
redmine	redmine	0.5.1
redmine	redmine	0.6.0
redmine	redmine	0.6.1
redmine	redmine	0.6.2
redmine	redmine	0.6.3
redmine	redmine	0.6.4
redmine	redmine	0.7.0
redmine	redmine	0.7.0:rc1
redmine	redmine	0.7.1
redmine	redmine	0.7.2
redmine	redmine	0.7.3
redmine	redmine	0.7.4
redmine	redmine	0.8.0
redmine	redmine	0.8.0:rc1
redmine	redmine	0.8.1
redmine	redmine	0.8.2
redmine	redmine	0.8.3
redmine	redmine	0.8.4
redmine	redmine	0.8.5
redmine	redmine	0.8.6
redmine	redmine	0.8.7
redmine	redmine	0.9.0
redmine	redmine	0.9.1
redmine	redmine	0.9.2
redmine	redmine	0.9.3
redmine	redmine	0.9.4
redmine	redmine	0.9.5
redmine	redmine	0.9.6
redmine	redmine	1.0.0
redmine	redmine	1.0.1
redmine	redmine	1.0.2
redmine	redmine	1.0.3
redmine	redmine	1.0.4
redmine	redmine	1.0.5
redmine	redmine	1.1.0
redmine	redmine	1.1.1
redmine	redmine	1.1.2
redmine	redmine	1.1.3
redmine	redmine	1.2.0
redmine	redmine	1.2.1
redmine	redmine	1.2.2
redmine	redmine	1.2.3
redmine	redmine	1.3.0