Lucene search

[email protected]NVD:CVE-2023-35929

HistoryJul 25, 2023 - 6:15 p.m.

CVE-2023-35929

2023-07-2518:15:10

CWE-79

[email protected]

web.nvd.nist.gov

tuleap

uncontrolled code execution

vulnerability

software development

collaboration

cve-2023-35929

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

30.5%

JSON

Tuleap is a free and open source suite to improve management of software development and collaboration. Prior to version 14.10.99.4 of Tuleap Community Edition and prior to versions 14.10-2 and 14.9-5 of Tuleap Enterprise Edition, content displayed in the “card fields” (visible in the kanban and PV2 apps) is not properly escaped. A malicious user with the capability to create an artifact or to edit a field used as a card field could force victim to execute uncontrolled code. Tuleap Community Edition 14.10.99.4, Tuleap Enterprise Edition 14.10-2, and Tuleap Enterprise Edition 14.9-5 contain a fix.

Affected configurations

NVD

Node

enaleantuleapRange<14.9-5enterprise

enaleantuleapRange<14.10.99.4community

enaleantuleapRange14.10–14.10-2enterprise

References

github.com/Enalean/tuleap/commit/0b2945fbd260d37aa0aff2ca1c867d160f76188d

github.com/Enalean/tuleap/security/advisories/GHSA-xhjp-4rjf-q268

tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=0b2945fbd260d37aa0aff2ca1c867d160f76188d

tuleap.net/plugins/tracker/?aid=32629