Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2015-8474

Open redirect vulnerability in the valid_back_url function in app/controllers/application_controller.rb in Redmine before 2.6.7, 3.0.x before 3.0.5, and 3.1.x before 3.1.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a crafted back_url parameter, as demonstrated by "@attacker.com," a different vulnerability than CVE-2014-1985.

Published

2016-04-12T14:59:05.227

Last Modified

2025-04-12T10:46:40.837

Status

Deferred

Source

[email protected]

Severity

CVSSv3.0: 7.4 (HIGH)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:N

  • Access Vector: NETWORK
  • Access Complexity: MEDIUM
  • Authentication: NONE
  • Confidentiality Impact: PARTIAL
  • Integrity Impact: PARTIAL
  • Availability Impact: NONE
Exploitability Score

8.6

Impact Score

4.9

Weaknesses
  • Type: Primary
    NVD-CWE-Other
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Operating System debian debian_linux 7.0 Yes
Operating System debian debian_linux 8.0 Yes
Application redmine redmine ≤ 2.6.6 Yes
Application redmine redmine 2.5.1 Yes
Application redmine redmine 3.0.0 Yes
Application redmine redmine 3.0.1 Yes
Application redmine redmine 3.0.2 Yes
Application redmine redmine 3.0.3 Yes
Application redmine redmine 3.0.4 Yes
Application redmine redmine 3.1.0 Yes
References