Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS in the Textile formatter.Referenceshttps://www.redmine.org/projects/redmine/wiki/Security_Advisories