CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37167 – Tuleap has improper permissions of the backlog items
https://notcve.org/view.php?id=CVE-2024-37167
Tuleap is an Open Source Suite to improve management of software developments and collaboration. Users are able to see backlog items that they should not see. This issue has been patched in Tuleap Community Edition version 15.9.99.97. Tuleap es una suite de código abierto para mejorar la gestión de los desarrollos de software y la colaboración. Los usuarios pueden ver los elementos pendientes que no deberían ver. • https://github.com/Enalean/tuleap/commit/13eec93a353d2daf47bb8b9c548cc02f78b93a5e https://github.com/Enalean/tuleap/security/advisories/GHSA-4c9f-284j-phvj https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=13eec93a353d2daf47bb8b9c548cc02f78b93a5e https://tuleap.net/plugins/tracker/?aid=38297 • CWE-285: Improper Authorization •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-25130 – Tuleap's mass update clears the permissions on artifact field
https://notcve.org/view.php?id=CVE-2024-25130
Tuleap is an open source suite to improve management of software developments and collaboration. Prior to version 15.5.99.76 of Tuleap Community Edition and prior to versions 15.5-4 and 15.4-7 of Tuleap Enterprise Edition, users with a read access to a tracker where the mass update feature is used might get access to restricted information. Tuleap Community Edition 15.5.99.76, Tuleap Enterprise Edition 15.5-4, and Tuleap Enterprise Edition 15.4-7 contain a patch for this issue. Tuleap es una suite de código abierto para mejorar la gestión de los desarrollos de software y la colaboración. Antes de la versión 15.5.99.76 de Tuleap Community Edition y antes de las versiones 15.5-4 y 15.4-7 de Tuleap Enterprise Edition, los usuarios con acceso de lectura a un rastreador donde se utiliza la función de actualización masiva podían obtener acceso a información restringida. • https://github.com/Enalean/tuleap/commit/57978a32508f5c6d0365419b6eaeb368aee20667 https://github.com/Enalean/tuleap/security/advisories/GHSA-mq7f-m6mj-hjj5 https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=57978a32508f5c6d0365419b6eaeb368aee20667 https://tuleap.net/plugins/tracker/?aid=36803 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-23344 – Tuleap's content of artifacts might be readable by unauthorized users
https://notcve.org/view.php?id=CVE-2024-23344
Tuleap is an Open Source Suite to improve management of software developments and collaboration. Some users might get access to restricted information when a process validates the permissions of multiple users (e.g. mail notifications). This issue has been patched in version 15.4.99.140 of Tuleap Community Edition. Tuleap es una suite de código abierto para mejorar la gestión de los desarrollos de software y la colaboración. Algunos usuarios pueden obtener acceso a información restringida cuando un proceso valida los permisos de múltiples usuarios (por ejemplo, notificaciones por correo). • https://github.com/Enalean/tuleap/commit/0329e21d268510bc00fed707406103edabf10e42 https://github.com/Enalean/tuleap/security/advisories/GHSA-m3v5-2j5q-x85w https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=0329e21d268510bc00fed707406103edabf10e42 https://tuleap.net/plugins/tracker/?aid=35862 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2023-48715 – Tuleap vulnerable to Cross-site Scripting on the edition page of a release
https://notcve.org/view.php?id=CVE-2023-48715
Tuleap is an open source suite to improve management of software developments and collaboration. Prior to version 15.2.99.103 of Tuleap Community Edition and prior to versions 15.2-4 and 15.1-8 of Tuleap Enterprise Edition, the name of the releases are not properly escaped on the edition page of a release. A malicious user with the ability to create a FRS release could force a victim having write permissions in the FRS to execute uncontrolled code. Tuleap Community Edition 15.2.99.103, Tuleap Enterprise Edition 15.2-4, and Tuleap Enterprise Edition 15.1-8 contain a fix for this issue. Tuleap es una suite de código abierto para mejorar la gestión de los desarrollos de software y la colaboración. • https://github.com/Enalean/tuleap/commit/ea71ec7ee062aae8d1fa7a7325aaa759205c17d8 https://github.com/Enalean/tuleap/security/advisories/GHSA-3m7g-7787-wc68 https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=ea71ec7ee062aae8d1fa7a7325aaa759205c17d8 https://tuleap.net/plugins/tracker/?aid=35143 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 3EXPL: 1CVE-2023-39521 – Tuleap vulnerable to Cross-site Scripting on the success message of a kanban deletion
https://notcve.org/view.php?id=CVE-2023-39521
Tuleap is an open source suite to improve management of software developments and collaboration. In Tuleap Community Edition prior to version 14.11.99.28 and Tuleap Enterprise Edition prior to versions 14.10-6 and 14.11-3, content displayed in the "card fields" (visible in the kanban and PV2 apps) is not properly escaped. An agile dashboard administrator deleting a kanban with a malicious label can be forced to execute uncontrolled code. Tuleap Community Edition 14.11.99.28, Tuleap Enterprise Edition 14.10-6, and Tuleap Enterprise Edition 14.11-3 contain a fix for this issue. • https://github.com/Enalean/tuleap/commit/93d10654b1d95c5bf500204666310418b01b8a8d https://github.com/Enalean/tuleap/security/advisories/GHSA-h9xc-w7qq-vpfc https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=93d10654b1d95c5bf500204666310418b01b8a8d https://tuleap.net/plugins/tracker/?aid=33656 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •