CVE-2015-8346

moderate-risk
Published 2016-04-12

app/views/timelog/_form.html.erb in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1.2 allows remote attackers to obtain sensitive information about subjects of issues by viewing the time logging form.

Do I need to act?

-
0.46% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10 Medium
NETWORK / LOW complexity

Affected Products (10)

Affected Vendors

Debian Redmine

References (8)

http://www.debian.org/security/2016/dsa-3529
Patch http://www.redmine.org/news/102
https://github.com/redmine/redmine/commit/c096dde88ff02872ba35edc4dc403c80a7867b...
https://www.redmine.org/issues/21150
http://www.debian.org/security/2016/dsa-3529
Patch http://www.redmine.org/news/102
https://github.com/redmine/redmine/commit/c096dde88ff02872ba35edc4dc403c80a7867b...
https://www.redmine.org/issues/21150
39
/ 100
moderate-risk
Severity 21/34 · High
Exploitability 2/34 · Minimal
Exposure 16/34 · Moderate