CVE-2023-47258 in Redmine
Summary
by MITRE • 11/05/2023
Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS in a Markdown formatter.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/27/2026
This vulnerability affects Redmine versions prior to 4.2.11 and 5.0.x versions prior to 5.0.6, where the Markdown formatter contains a cross-site scripting flaw that permits malicious code execution through crafted input. The issue stems from insufficient sanitization of user-supplied content within the Markdown processing pipeline, allowing attackers to inject malicious scripts that execute in the context of other users' browsers when viewing affected content.
The technical implementation of this vulnerability occurs during the Markdown parsing phase where the application fails to properly escape or filter HTML characters and script tags embedded within markdown formatted text. When users view project descriptions, issue details, or wiki pages containing maliciously crafted markdown content, the browser executes the injected JavaScript code as if it originated from a legitimate source within the application. This represents a classic cross-site scripting vulnerability that falls under CWE-79 - Improper Neutralization of Input During Web Page Generation.
The operational impact of this vulnerability extends beyond simple script execution to potentially enable attackers to steal session cookies, perform actions on behalf of authenticated users, access sensitive project data, or even escalate privileges within the application. An attacker could craft malicious wiki pages or issue descriptions containing script tags that would execute when other users browse these pages, creating a persistent threat vector that affects all users interacting with vulnerable content.
This vulnerability aligns with ATT&CK technique T1566.002 - Phishing via Service, where attackers leverage application features to deliver malicious payloads through seemingly legitimate user-generated content. The attack chain typically involves an attacker identifying a target user with sufficient privileges, creating malicious markdown content within a project, and waiting for the victim to view the affected page. The vulnerability is particularly concerning in enterprise environments where Redmine serves as a central collaboration platform for sensitive project information.
Mitigation strategies include immediate upgrading to Redmine versions 4.2.11 or 5.0.6 which contain proper input sanitization fixes, implementing Content Security Policy headers to restrict script execution, and conducting regular security reviews of user-generated content processing. Organizations should also consider additional defensive measures such as input validation at multiple layers, regular security scanning of user content, and educating users about the risks of viewing untrusted project data. The vulnerability demonstrates the critical importance of proper input sanitization in web applications and serves as a reminder that even seemingly benign features like markdown rendering can become attack vectors when insufficiently secured.