CVE-2025-4011 MEDIUM

CVE-2025-4011: Redmine Custom Query cross site scripting

Vendor N/A

Product Redmine

Weakness CWE-79 · XSS

Published April 28, 2025

Last update April 28, 2025

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A vulnerability has been found in Redmine 6.0.0/6.0.1/6.0.2/6.0.3 and classified as problematic. This vulnerability affects unknown code of the component Custom Query Handler. The manipulation of the argument Name leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 6.0.4 is able to address this issue. It is recommended to upgrade the affected component.

Key dates

02Disclosure timeline

April 28, 2025 CVE published

April 28, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-4011 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2024-4646 Campcodes Complete Web-Based School Management System student_payment_details.php cross site scripting CVE-2025-11768 Islamic Phrases <= 2.12.2015 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2023-6487 LuckyWP Table of Contents <= 2.1.5 - Authenticated (Administrator+) Cross-Site Scripting CVE-2025-12661 Pollcaster Shortcode Plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode CVE-2024-7163 SeaCMS index.php cross site scripting

Identifiers

CVE CVE-2025-4011

CWE CWE-79

CVSS 5.1 / MEDIUM

Affected versions

Vendor N/A

Product Redmine

Affected 6.0.0

Vendor N/A

Product Redmine

Affected 6.0.1

Vendor N/A

Product Redmine

Affected 6.0.2

Vendor N/A

Product Redmine

Affected 6.0.3