4.6

CVE-2025-65962

Tuleap has missing CSRF protections its in tracker field dependencies

Tuleap is a free and open source suite for management of software development and collaboration. Versions of Tuleap Community Edition prior to 17.0.99.1763803709 and Tuleap Enterprise Edition versions prior to 17.0-4 and 16.13-9 are mission CSRF protections in its tracker field dependencies, allowing attackers to modify tracker fields. This issue is fixed in Tuleap Community Edition version 17.0.99.1763803709 and Tuleap Enterprise Edition versions 17.0-4 and 16.13-9.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
EnaleanTuleap SwEditionenterprise Version < 16.13-9
EnaleanTuleap SwEditioncommunity Version < 17.0.99.1763803709
EnaleanTuleap SwEditionenterprise Version >= 17.0 < 17.0-4
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.14% 0.033
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 2.8 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
security-advisories@github.com 4.6 2.1 2.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L
CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

https://github.com/Enalean/tuleap/security/advisories/GHSA-9hgc-cm68-rrgc
Vendor Advisory
https://github.com/Enalean/tuleap/commit/26678c5b411042e68964b199bf88a44607550633
Patch
https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=26678c5b411042e68964b199bf88a44607550633
Patch
https://tuleap.net/plugins/tracker/?aid=45632
Vendor Advisory
Issue Tracking