Holger Just

**Name of the Vulnerable Software and Affected Versions** Gitea versions prior to 1.20.1 **Description** A flaw exists in Gitea that allows the use of a forbidden URL scheme, such as javascript:, within a link, which can lead to cross-site scripting (XSS). **Recommendations** Update Gitea to version 1.20.1 or later.

**Name of the Vulnerable Software and Affected Versions** Redmine versions 4.2.0 through 4.2.1 **Description** The issue is related to the incorrect session expiration in Redmine, a web application for project and task management. When two-factor authentication is enabled for a user's account, existing user sessions are not terminated as intended, allowing them to continue. This could potentially be exploited by a remote attacker to continue accessing the user's account without proper authentication. **Recommendations** For Redmine versions 4.2.0 and 4.2.1, consider terminating all existing user sessions immediately after enabling two-factor authentication for the user's account as a temporary workaround. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Redmine versions 3.4.13 and earlier, 4.x versions prior to 4.0.6 **Description** The issue is related to incorrect handling of markup data during Textile formatting in the Redmine project management and task management server web application. This can allow a remote attacker to impact data integrity. **Recommendations** For Redmine versions 3.4.13 and earlier, update to version 3.4.13 or later. For Redmine 4.x versions prior to 4.0.6, update to version 4.0.6 or later. As a temporary workaround, consider disabling Textile formatting until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Redmine versions prior to 2.6.2 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via vectors involving flash message rendering. **Recommendations** For versions prior to 2.6.2, update to version 2.6.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Cocaine gem versions 0.4.0 through 0.5.2 **Description** The issue allows context-dependent attackers to execute arbitrary commands via a crafted `has` object, related to recursive variable interpolation. **Recommendations** For Cocaine gem versions 0.4.0 through 0.5.2, update to a version outside of this range to resolve the issue. At the moment, there is no information about a specific newer version that contains a fix for this vulnerability.