CVE-2012-2054
EPSS 0.27%
Description
Redmine before 1.3.2 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set attributes in the (1) Comment, (2) Document, (3) IssueCategory, (4) MembersController, (5) Message, (6) News, (7) TimeEntry, (8) Version, (9) Wiki, (10) UserPreference, or (11) Board model via a modified URL, related to a "mass assignment" vulnerability, a different vulnerability than CVE-2012-0327.
How to fix CVE-2012-2054
To remediate CVE-2012-2054, upgrade the affected package to a fixed version below.
- Debian/redmine—upgrade to 1.3.2+dfsg1-1 or later
Is CVE-2012-2054 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.3.2+dfsg1-1