CVE-2025-4011: 
Redmine vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability has been identified in Redmine versions 6.0.0 through 6.0.3. The vulnerability affects the Custom Query Handler component, specifically in the handling of the Name argument. The issue was discovered and disclosed on April 28, 2025 (NVD, VulDB).

The vulnerability exists within the query[name] parameter in the Custom Query feature. When a specially crafted payload is submitted via this parameter, it is stored and later rendered without proper sanitization, allowing arbitrary JavaScript code execution in the context of other users' browsers. The vulnerability has been assigned a CVSS v4.0 score of 5.1 (Medium) and a CVSS v3.1 score of 3.5 (Low) (NVD).

The vulnerability can be exploited by an authenticated attacker to perform account hijacking, phishing attacks, data theft, or execute unauthorized actions via CSRF. The attack can be initiated remotely, though it requires user interaction for successful exploitation (Wiz).

The vulnerability has been fixed in Redmine version 6.0.4. Users are strongly recommended to upgrade to this version to address the security issue. No alternative workarounds have been provided (Redmine Security).