Lucene search

[email protected]NVD:CVE-2023-30619

HistoryMay 04, 2023 - 2:15 p.m.

CVE-2023-30619

2023-05-0414:15:11

CWE-79

[email protected]

web.nvd.nist.gov

tuleap

open source

traceability

application development

system development

artifact

tooltip

malicious user

uncontrolled code

patch

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

40.1%

JSON

Tuleap Open ALM is a Libre and Open Source tool for end to end traceability of application and system developments. The title of an artifact is not properly escaped in the tooltip. A malicious user with the capability to create an artifact or to edit a field title could force victim to execute uncontrolled code. This issue has been patched in version 14.7.99.143.

Affected configurations

NVD

Node

enaleantuleapRange14.7.99.76–14.7.99.143community

References

github.com/Enalean/tuleap/commit/fdc93a736cbccad05de16ff0cc7cc3ef18dc93df

github.com/Enalean/tuleap/security/advisories/GHSA-7fm3-cr3g-5922

tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=fdc93a736cbccad05de16ff0cc7cc3ef18dc93df

tuleap.net/plugins/tracker/?aid=31586