CVE-2023-47259 in Redmine
Summary
by MITRE • 11/05/2023
Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS in the Textile formatter.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/22/2026
This vulnerability affects Redmine versions prior to 4.2.11 and 5.0.x versions before 5.0.6, specifically within the Textile formatter component that processes user input for web content rendering. The issue stems from insufficient sanitization of user-provided data when the Textile markup language is processed, allowing malicious actors to inject cross-site scripting payloads that can execute in the context of other users' browsers. The flaw represents a classic server-side cross-site scripting vulnerability where untrusted input flows directly into the output stream without proper encoding or validation. When users view content that contains maliciously crafted Textile markup, the browser executes the injected JavaScript code, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of victims.
The technical implementation of this vulnerability occurs because the Textile formatter fails to properly escape HTML characters and script tags within user-generated content before rendering it to web pages. This allows attackers to embed malicious script elements such as <script>alert(document.cookie)</script> or more sophisticated payloads that can exfiltrate data, modify page content, or redirect users to malicious sites. The vulnerability is particularly dangerous in collaborative environments where multiple users interact with shared project information, as a single compromised Textile input can affect all users who view the affected content. According to CWE classification, this maps to CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), which is one of the most prevalent web application security flaws and is catalogued in the OWASP Top Ten Project as a critical risk.
The operational impact of this vulnerability extends beyond simple data theft or defacement, as it can enable attackers to establish persistent access within project environments where Redmine serves as a central collaboration platform. Attackers could leverage this vulnerability to monitor team communications, manipulate project data, or escalate privileges within the application. In enterprise settings, this weakness could facilitate lateral movement across networks where Redmine is integrated with other systems, potentially compromising larger infrastructures through the initial XSS foothold. The attack surface is particularly broad given that Textile formatting is commonly used throughout Redmine for issue descriptions, wiki pages, and documentation where users frequently input rich text content.
Organizations should immediately upgrade to Redmine 4.2.11 or 5.0.6 and later versions where this vulnerability has been patched through proper input validation and output encoding mechanisms. Administrators should implement additional protective measures including content security policies that restrict script execution, regular security scanning of user-generated content, and monitoring for suspicious formatting patterns. The mitigation strategy should also include user education about the risks of embedding untrusted markup in collaborative environments and implementing proper access controls to limit who can submit content that gets rendered on public-facing pages. Organizations using older versions should consider deploying web application firewalls or proxy solutions that can detect and block known XSS attack patterns in real-time, though these measures represent temporary workarounds rather than permanent fixes. This vulnerability demonstrates the critical importance of maintaining up-to-date software components and implementing robust input sanitization practices as outlined in the ATT&CK framework under TA0001 - Initial Access and TA0002 - Execution categories where such flaws serve as entry points for more sophisticated attacks.