Redmine before 4.0.7 and 4.1.x before 4.1.1 allows attackers to discover the subject of a non-visible issue by performing a CSV export and reading time entries.
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Redmine | Redmine | * | 4.0.7 (excluding) |
| Redmine | Redmine | 4.1.0 (including) | 4.1.1 (excluding) |
| Redmine | Ubuntu | bionic | * |
| Redmine | Ubuntu | kinetic | * |
| Redmine | Ubuntu | trusty | * |
| Redmine | Ubuntu | upstream | * |
| Redmine | Ubuntu | xenial | * |