CVE-2022-44637 is a medium-severity vulnerability affecting Redmine project management software versions prior to 4.2.9 and 5.0.x versions before 5.0.4. The vulnerability arises from improper sanitization in the Textile formatter component, specifically within Redcloth3 Textile-formatted fields. Textile is a lightweight markup language used in Redmine to format text input. Due to insufficient input sanitization, an attacker can inject persistent Cross-Site Scripting (XSS) payloads into Textile-formatted fields. This persistent XSS allows malicious scripts to be stored on the server and executed in the browsers of users who view the affected content. The vulnerability requires user interaction in the form of a victim viewing the malicious content and may require the attacker to be authenticated as a registered user depending on the Redmine configuration. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) indicates that the attack can be launched remotely over the network with low attack complexity and no privileges required, but user interaction is necessary. The vulnerability impacts confidentiality and integrity by enabling script execution that could steal session tokens, perform actions on behalf of users, or manipulate displayed data. Availability is not impacted. The scope is changed, meaning the vulnerability affects components beyond the vulnerable code itself. No known exploits in the wild have been reported as of the publication date. No official patch links were provided in the source data, but the fixed versions are 4.2.9 and 5.0.4 or later.

For European organizations using Redmine versions prior to the fixed releases, this vulnerability poses a risk of persistent XSS attacks that can compromise user sessions and data integrity. Since Redmine is widely used for project management and issue tracking, exploitation could lead to unauthorized access to sensitive project information, manipulation of issue data, or phishing attacks targeting internal users. The requirement for user interaction and potentially authenticated access limits the attack surface but does not eliminate risk, especially in environments with many registered users or where external collaborators have access. The impact is particularly relevant for sectors with strict data protection regulations such as finance, healthcare, and government, where leakage or manipulation of project data could have compliance and operational consequences. Additionally, the persistent nature of the XSS increases the risk of widespread impact within an organization once the malicious payload is stored. The vulnerability does not affect system availability, so denial-of-service is not a concern here.

1. Upgrade Redmine installations to version 4.2.9 or 5.0.4 (or later) immediately to apply the official fix addressing the Textile formatter sanitization issue. 2. Review and restrict user permissions to minimize the number of users able to input Textile-formatted content, especially those with write access to project descriptions or issue fields. 3. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers, mitigating the impact of potential XSS payloads. 4. Conduct regular security audits and input validation reviews on custom Textile or markup usage within Redmine to detect and remediate unsafe content. 5. Educate users about the risks of clicking on links or interacting with content from untrusted sources within Redmine. 6. Monitor Redmine logs and user activity for unusual behavior indicative of XSS exploitation attempts. 7. If upgrading is not immediately feasible, consider disabling Textile formatting or limiting its use to trusted users only as a temporary workaround.