Vulnerability Description
Redmine before 1.3.2 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set attributes in the (1) Comment, (2) Document, (3) IssueCategory, (4) MembersController, (5) Message, (6) News, (7) TimeEntry, (8) Version, (9) Wiki, (10) UserPreference, or (11) Board model via a modified URL, related to a "mass assignment" vulnerability, a different vulnerability than CVE-2012-0327.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redmine | Redmine | <= 1.3.1 |
Related Weaknesses (CWE)
References
- http://www.redmine.org/boards/2/topics/29343
- http://www.redmine.org/issues/10390
- http://www.redmine.org/versions/42
- http://www.redmine.org/boards/2/topics/29343
- http://www.redmine.org/issues/10390
- http://www.redmine.org/versions/42
FAQ
What is CVE-2012-2054?
CVE-2012-2054 is a vulnerability with a CVSS score of 5.0 (MEDIUM). Redmine before 1.3.2 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set attributes in the (1) Comment, (2) Document, (3) Issu...
How severe is CVE-2012-2054?
CVE-2012-2054 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2012-2054?
Check the references section above for vendor advisories and patch information. Affected products include: Redmine Redmine.