4.6

CVE-2025-29929

Tuleap is missing CSRF protection on tracker hierarchy administration

Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap is missing CSRF protection on tracker hierarchy administration. An attacker could use this vulnerability to trick victims into submitting or editing artifacts or follow-up comments. This vulnerability is fixed in Tuleap Community Edition 16.5.99.1742306712 and Tuleap Enterprise Edition 16.5-5 and 16.4-8.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
EnaleanTuleap SwEditionenterprise Version < 16.4-8
EnaleanTuleap SwEditioncommunity Version < 16.5.99.1742306712
EnaleanTuleap SwEditionenterprise Version >= 16.5 < 16.5-5
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.18% 0.075
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 2.8 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
security-advisories@github.com 4.6 2.1 2.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L
CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

https://github.com/Enalean/tuleap/commit/dce61747f3a169da1f6b585ad5e6e0847fa3c950
Patch
https://github.com/Enalean/tuleap/security/advisories/GHSA-hqqr-p5f6-26vv
Third Party Advisory
https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=dce61747f3a169da1f6b585ad5e6e0847fa3c950
Broken Link
https://tuleap.net/plugins/tracker/?aid=42231
Vendor Advisory