CVE-2009-4459

Name of the Vulnerable Software and Affected Versions Redmine versions 0.8.7 and earlier

Description The issue allows remote attackers to conduct cross-site scripting (XSS) attacks by injecting arbitrary script via UTF-7 encoded values in the title parameter to a new issue page. This may be interpreted as script by Internet Explorer 7 and 8.

Recommendations For versions 0.8.7 and earlier, consider defining the character encoding in a meta tag before the title tag to prevent cross-site scripting attacks. As a temporary workaround, restrict the use of UTF-7 encoded values in the title parameter to minimize the risk of exploitation.