CVE-2012-2054 Information

Description

Redmine before 1.3.2 does not properly restrict the use of a hash to provide values for a model’s attributes which allows remote attackers to set attributes in the (1) Comment (2) Document (3) IssueCategory (4) MembersController (5) Message (6) News (7) TimeEntry (8) Version (9) Wiki (10) UserPreference or (11) Board model via a modified URL related to a \mass assignment\ vulnerability a different vulnerability than CVE-2012-0327.

Reference

http://www.redmine.org/boards/2/topics/29343 http://www.redmine.org/issues/10390 http://www.redmine.org/versions/42