CVE-2023-47258 - Exploiting the Redmine Markdown XSS Vulnerability (With Exploit Example)

Redmine is a popular project management web application, loved by developers around the world. But sometimes, even the best tools have security gaps. In this post, we’ll break down CVE-2023-47258, a specific security vulnerability found in Redmine before 4.2.11 and 5..x before 5..6, allowing attackers to exploit a Cross-Site Scripting (XSS) issue in the Markdown formatter. We'll explain what happened, how it could be abused, show you an exploit sample, and share original references for deeper reading.

What Is CVE-2023-47258?

CVE-2023-47258 is a vulnerability affecting Redmine, discovered in November 2023. It allows attackers to inject malicious JavaScript by exploiting how Redmine handles Markdown-formatted content. In simple terms, this means an attacker can trick the system into running code in the browser of anyone viewing a specially crafted project or task comment.

How Does the Vulnerability Work?

When rendering Markdown input, Redmine failed to sanitize certain elements properly. For example, it mishandled malformed or sneaky Markdown links containing JavaScript payloads. This lets a user input script code in text fields (like issues, wikis, or comments), which gets executed in someone else’s browser – a classic XSS attack.

The Exploit: How Attackers Leverage It

Here's an example of how an attacker might exploit this bug using Markdown in a Redmine comment, issue, or wiki:

Exploit Markdown Snippet

[Click Me](javascript:alert('XSS'))

If a vulnerable Redmine version renders this without sanitizing the javascript: scheme, anyone clicking the "Click Me" link triggers an alert box – or, worse, runs harmful scripts.

Even scarier: A more visually disguised payload could look like this

[!]("javascript:alert('XSS')")

Or even

![image](javascript:alert('stolen cookies'))

Attackers commonly hide these scripts so users trust the link and click it unknowingly.

Perform actions as other users

All by planting scripts inside Markdown fields. XSS is a serious threat to both data and user confidence.

Download and changelog

- Redmine Downloads
- Redmine 5..6 Changelog

The fix ensures Markdown links are cleaned up and javascript: URIs are no longer allowed.

References and Further Reading

- Redmine Security Advisory
- CVE-2023-47258 Entry (NVD)
- Original Redmine ticket #40296

Look for suspicious Markdown links in comments or wikis, especially with javascript: links.

3. Use browser developer tools to check if any injected scripts appear unexpectedly in rendered comment sections.

Final Words

XSS vulnerabilities might sound technical, but they’re straightforward in practice and dangerous if left unpatched. If your Redmine site is not updated, attackers can easily exploit this Markdown bug. Update Redmine to 4.2.11 or 5..6+ right now to secure your projects and users.

Have questions? Need help with remediation? Hit the comment box below or check the references linked above for step-by-step guides.

Timeline

Published on: 11/05/2023 04:15:10 UTC
Last modified on: 11/14/2023 18:29:41 UTC