diff --git a/app/controllers/versions_controller.rb b/app/controllers/versions_controller.rb
index 31b28cc0..5dac7354 100644
--- a/app/controllers/versions_controller.rb
+++ b/app/controllers/versions_controller.rb
@@ -56,7 +56,7 @@ class VersionsController < ApplicationController
     if params[:version]
       attributes = params[:version].dup
       attributes.delete('sharing') unless attributes.nil? || @version.allowed_sharings.include?(attributes['sharing'])
-      @version.attributes = attributes
+      @version.safe_attributes = attributes
     end
   end
 
@@ -66,7 +66,7 @@ class VersionsController < ApplicationController
     if params[:version]
       attributes = params[:version].dup
       attributes.delete('sharing') unless attributes.nil? || @version.allowed_sharings.include?(attributes['sharing'])
-      @version.attributes = attributes
+      @version.safe_attributes = attributes
     end
 
     if request.post?
@@ -101,7 +101,8 @@ class VersionsController < ApplicationController
     if request.put? && params[:version]
       attributes = params[:version].dup
       attributes.delete('sharing') unless @version.allowed_sharings.include?(attributes['sharing'])
-      if @version.update_attributes(attributes)
+      @version.safe_attributes = attributes
+      if @version.save
         flash[:notice] = l(:notice_successful_update)
         redirect_to :controller => 'projects', :action => 'settings', :tab => 'versions', :id => @project
       else
diff --git a/app/models/version.rb b/app/models/version.rb
index 898ab4d1..62833446 100644
--- a/app/models/version.rb
+++ b/app/models/version.rb
@@ -13,6 +13,7 @@
 #++
 
 class Version < ActiveRecord::Base
+  include Redmine::SafeAttributes
   after_update :update_issues_from_sharing_change
   belongs_to :project
   has_many :fixed_issues, :class_name => 'Issue', :foreign_key => 'fixed_version_id', :dependent => :nullify
@@ -34,6 +35,15 @@ class Version < ActiveRecord::Base
   named_scope :visible, lambda {|*args| { :include => :project,
                                           :conditions => Project.allowed_to_condition(args.first || User.current, :view_issues) } }
 
+  safe_attributes 'name',
+    'description',
+    'effective_date',
+    'due_date',
+    'wiki_page_title',
+    'status',
+    'sharing',
+    'custom_field_values'
+
   # Returns true if +user+ or current user is allowed to view the version
   def visible?(user=User.current)
     user.allowed_to?(:view_issues, self.project)