CVE-2020-36306
Redmine before 4.0.7 and 4.1.x before 4.1.1 has XSS via the back_url field.
Date published : 2021-04-06
https://www.redmine.org/projects/redmine/wiki/Security_Advisories
https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html