CVE-2022-44637

Name of the Vulnerable Software and Affected Versions Redmine versions 4.2.9 and earlier, 5.0.x versions prior to 5.0.4

Description The issue is related to improper sanitization in Redcloth3 Textile-formatted fields, allowing persistent XSS attacks. Depending on the configuration, exploitation may require login as a registered user. This can be exploited by a remote attacker to conduct a cross-site scripting (XSS) attack.

Recommendations For versions prior to 4.2.9 and 5.0.4, update to version 4.2.9 or 5.0.4 or later to resolve the issue. As a temporary workaround, consider disabling the Textile formatter until a patch is available. Restrict access to Redcloth3 Textile-formatted fields to minimize the risk of exploitation.