5.3

CVE-2025-52899

Tuleap vulnerable to user enumeration via the lost password form

Tuleap is an Open Source Suite created to facilitate management of software development and collaboration. In Tuleap Community Edition prior to version 16.9.99.1750843170 and Tuleap Enterprise Edition prior to 16.8-4 and 16.9-2, the forgot password form allows for user enumeration. This is fixed in Tuleap Community Edition version 16.9.99.1750843170 and Tuleap Enterprise Edition 16.8-4 and 16.9-2.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
EnaleanTuleap SwEditionenterprise Version < 16.8-4
EnaleanTuleap SwEditioncommunity Version < 16.9.99.1750843170
EnaleanTuleap SwEditionenterprise Version >= 16.9 < 16.9-2
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.28% 0.192
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE-204 Observable Response Discrepancy

The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

https://github.com/Enalean/tuleap/security/advisories/GHSA-xqf3-xxxf-x3c2
Third Party Advisory
https://github.com/Enalean/tuleap/commit/5c72d6d253016d38ed472eb7918f772d074ddb07
Patch
https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=5c72d6d253016d38ed472eb7918f772d074ddb07
Permissions Required
https://tuleap.net/plugins/tracker/?aid=43674
Vendor Advisory
Issue Tracking