CVE-2025-4011

A vulnerability has been found in Redmine 6.0.0/6.0.1/6.0.2/6.0.3 and classified as problematic. This vulnerability affects unknown code of the component Custom Query Handler. The manipulation of the argument Name leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 6.0.4 is able to address this issue. It is recommended to upgrade the affected component.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
3.5 LOW
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
VulDBCNA
3.5 LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
CISA-ADPADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 8%
Debian logo
Debian Releases
Debian Product
Codename
redmine
bookworm
5.0.4-5+deb12u1
not-affected
bookworm (security)
5.0.4-5+deb12u1
fixed
sid
6.0.5+ds-1
fixed
trixie
6.0.5+ds-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
redmine
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
Common Weakness Enumeration
References
https://vuldb.com/?ctiid.306364
https://vuldb.com/?id.306364
https://vuldb.com/?submit.558240
https://www.redmine.org/issues/42238
https://www.redmine.org/projects/redmine/wiki/Security_Advisories
https://www.redmine.org/versions/206