CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37167 – Tuleap has improper permissions of the backlog items
https://notcve.org/view.php?id=CVE-2024-37167
Tuleap is an Open Source Suite to improve management of software developments and collaboration. Users are able to see backlog items that they should not see. This issue has been patched in Tuleap Community Edition version 15.9.99.97. Tuleap es una suite de código abierto para mejorar la gestión de los desarrollos de software y la colaboración. Los usuarios pueden ver los elementos pendientes que no deberían ver. • https://github.com/Enalean/tuleap/commit/13eec93a353d2daf47bb8b9c548cc02f78b93a5e https://github.com/Enalean/tuleap/security/advisories/GHSA-4c9f-284j-phvj https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=13eec93a353d2daf47bb8b9c548cc02f78b93a5e https://tuleap.net/plugins/tracker/?aid=38297 • CWE-285: Improper Authorization •
CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-30246 – Tuleap deleting or moving an artifact can delete values from unrelated artifacts
https://notcve.org/view.php?id=CVE-2024-30246
Tuleap is an Open Source Suite to improve management of software developments and collaboration. A malicious user could exploit this issue on purpose to delete information on the instance or possibly gain access to restricted artifacts. It is however not possible to control exactly which information is deleted. Information from theDate, File, Float, Int, List, OpenList, Text, and Permissions on artifact (this one can lead to the disclosure of restricted information) fields can be impacted. This vulnerability is fixed in Tuleap Community Edition version 15.7.99.6 and Tuleap Enterprise Edition 15.7-2, 15.6-5, 15.5-6, 15.4-8, 15.3-6, 15.2-5, 15.1-9, 15.0-9, and 14.12-6. • https://github.com/Enalean/tuleap/commit/a0ba0ae82a29eb8bfacef286778e5e49954f5316 https://github.com/Enalean/tuleap/security/advisories/GHSA-jc7g-4pcv-8jcj https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=a0ba0ae82a29eb8bfacef286778e5e49954f5316 https://tuleap.net/plugins/tracker/?aid=37545 • CWE-440: Expected Behavior Violation CWE-670: Always-Incorrect Control Flow Implementation •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-25130 – Tuleap's mass update clears the permissions on artifact field
https://notcve.org/view.php?id=CVE-2024-25130
Tuleap is an open source suite to improve management of software developments and collaboration. Prior to version 15.5.99.76 of Tuleap Community Edition and prior to versions 15.5-4 and 15.4-7 of Tuleap Enterprise Edition, users with a read access to a tracker where the mass update feature is used might get access to restricted information. Tuleap Community Edition 15.5.99.76, Tuleap Enterprise Edition 15.5-4, and Tuleap Enterprise Edition 15.4-7 contain a patch for this issue. Tuleap es una suite de código abierto para mejorar la gestión de los desarrollos de software y la colaboración. Antes de la versión 15.5.99.76 de Tuleap Community Edition y antes de las versiones 15.5-4 y 15.4-7 de Tuleap Enterprise Edition, los usuarios con acceso de lectura a un rastreador donde se utiliza la función de actualización masiva podían obtener acceso a información restringida. • https://github.com/Enalean/tuleap/commit/57978a32508f5c6d0365419b6eaeb368aee20667 https://github.com/Enalean/tuleap/security/advisories/GHSA-mq7f-m6mj-hjj5 https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=57978a32508f5c6d0365419b6eaeb368aee20667 https://tuleap.net/plugins/tracker/?aid=36803 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-23344 – Tuleap's content of artifacts might be readable by unauthorized users
https://notcve.org/view.php?id=CVE-2024-23344
Tuleap is an Open Source Suite to improve management of software developments and collaboration. Some users might get access to restricted information when a process validates the permissions of multiple users (e.g. mail notifications). This issue has been patched in version 15.4.99.140 of Tuleap Community Edition. Tuleap es una suite de código abierto para mejorar la gestión de los desarrollos de software y la colaboración. Algunos usuarios pueden obtener acceso a información restringida cuando un proceso valida los permisos de múltiples usuarios (por ejemplo, notificaciones por correo). • https://github.com/Enalean/tuleap/commit/0329e21d268510bc00fed707406103edabf10e42 https://github.com/Enalean/tuleap/security/advisories/GHSA-m3v5-2j5q-x85w https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=0329e21d268510bc00fed707406103edabf10e42 https://tuleap.net/plugins/tracker/?aid=35862 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2023-48715 – Tuleap vulnerable to Cross-site Scripting on the edition page of a release
https://notcve.org/view.php?id=CVE-2023-48715
Tuleap is an open source suite to improve management of software developments and collaboration. Prior to version 15.2.99.103 of Tuleap Community Edition and prior to versions 15.2-4 and 15.1-8 of Tuleap Enterprise Edition, the name of the releases are not properly escaped on the edition page of a release. A malicious user with the ability to create a FRS release could force a victim having write permissions in the FRS to execute uncontrolled code. Tuleap Community Edition 15.2.99.103, Tuleap Enterprise Edition 15.2-4, and Tuleap Enterprise Edition 15.1-8 contain a fix for this issue. Tuleap es una suite de código abierto para mejorar la gestión de los desarrollos de software y la colaboración. • https://github.com/Enalean/tuleap/commit/ea71ec7ee062aae8d1fa7a7325aaa759205c17d8 https://github.com/Enalean/tuleap/security/advisories/GHSA-3m7g-7787-wc68 https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=ea71ec7ee062aae8d1fa7a7325aaa759205c17d8 https://tuleap.net/plugins/tracker/?aid=35143 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •