Page 5 of 39 results (0.009 seconds)

CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0

Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In versions prior to 13.9.99.58 authorizations are not properly verified when creating projects or trackers from projects marked as templates. Users can get access to information in those template projects because the permissions model is not properly enforced. Users are advised to upgrade. There are no known workarounds for this issue. • https://docs.tuleap.org/administration-guide/users-management/security/site-access.html https://github.com/Enalean/tuleap/commit/7e221a9d1893c13407b35008762757a76d8e5654 https://github.com/Enalean/tuleap/commit/cc38bcc59ce0c733ca915d95daec5f3082fb17ca https://github.com/Enalean/tuleap/security/advisories/GHSA-hvx6-4228-whj3 https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=7e221a9d1893c13407b35008762757a76d8e5654 https://tuleap.net/plugins/tracker/?aid=26816 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0

Tuleap is a Free & Open Source Suite to manage software developments and collaboration. In versions prior to 13.7.99.239 Tuleap does not properly verify authorizations when displaying the content of tracker report renderer and chart widgets. Malicious users could use this vulnerability to retrieve the name of a tracker they cannot access as well as the name of the fields used in reports. Tuleap es una suite libre y de código abierto para administrar el desarrollo de software y la colaboración. En versiones anteriores a 13.7.99.239, Tuleap no verifica apropiadamente las autorizaciones cuando muestra el contenido del renderizador de informes de seguimiento y los widgets de gráficos. • https://github.com/Enalean/tuleap/commit/8e99e7c82d9fe569799019b9e1d614d38a184313 https://github.com/Enalean/tuleap/security/advisories/GHSA-x962-x43g-qw39 https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=8e99e7c82d9fe569799019b9e1d614d38a184313 https://tuleap.net/plugins/tracker/?aid=26729 • CWE-862: Missing Authorization •

CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0

Tuleap is a Libre and Open Source tool for end to end traceability of application and system developments. In affected versions Tuleap does not sanitize properly user settings when constructing the SQL query to browse and search commits in the CVS repositories. A authenticated malicious user with read access to a CVS repository could execute arbitrary SQL queries. Tuleap instances without an active CVS repositories are not impacted. The following versions contain the fix: Tuleap Community Edition 13.2.99.155, Tuleap Enterprise Edition 13.1-7, and Tuleap Enterprise Edition 13.2-6. • https://github.com/Enalean/tuleap/commit/b82be896b00a787ed46a77bd4700e8fccfe2e5ba https://github.com/Enalean/tuleap/security/advisories/GHSA-x8fr-8gvw-cc4v https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=b82be896b00a787ed46a77bd4700e8fccfe2e5ba https://tuleap.net/plugins/tracker/?aid=24202 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0

Tuleap is a Libre and Open Source tool for end to end traceability of application and system developments. In affected versions Tuleap does not sanitize properly the search filter built from the ldap_id attribute of a user during the daily synchronization. A malicious user could force accounts to be suspended or take over another account by forcing the update of the ldap_uid attribute. Note that the malicious user either need to have site administrator capability on the Tuleap instance or be an LDAP operator with the capability to create/modify account. The Tuleap instance needs to have the LDAP plugin activated and enabled for this issue to be exploitable. • https://github.com/Enalean/tuleap/commit/bd47f29847fcd6a68d359bc8aefb8749bb8a1b7c https://github.com/Enalean/tuleap/security/advisories/GHSA-887w-pv2r-x8pm https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=bd47f29847fcd6a68d359bc8aefb8749bb8a1b7c https://tuleap.net/plugins/tracker/?aid=24149 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') •

CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0

Tuleap is a Libre and Open Source tool for end to end traceability of application and system developments. This is a follow up to GHSA-887w-pv2r-x8pm/CVE-2021-41276, the initial fix was incomplete. Tuleap does not sanitize properly the search filter built from the ldap_id attribute of a user during the daily synchronization. A malicious user could force accounts to be suspended or take over another account by forcing the update of the ldap_uid attribute. Note that the malicious user either need to have site administrator capability on the Tuleap instance or be an LDAP operator with the capability to create/modify account. • https://github.com/Enalean/tuleap/commit/64e77561eba9f8233199c2962b3497ed7294a7d2 https://github.com/Enalean/tuleap/security/advisories/GHSA-887w-pv2r-x8pm https://github.com/Enalean/tuleap/security/advisories/GHSA-cwv9-hhm4-jr84 https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=64e77561eba9f8233199c2962b3497ed7294a7d2 https://tuleap.net/plugins/tracker/?aid=24168 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') •