CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2021-41154 – SQL injection in the "SVN core" commits browser
https://notcve.org/view.php?id=CVE-2021-41154
Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In affected versions an attacker with read access to a "SVN core" repository could execute arbitrary SQL queries. The following versions contain the fix: Tuleap Community Edition 11.17.99.144, Tuleap Enterprise Edition 11.17-5, Tuleap Enterprise Edition 11.16-7. Tuleap es una Suite Libre y de Código Abierto para mejorar la administración de desarrolladores de software y colaboración. En las versiones afectadas un atacante con acceso de lectura a un repositorio "SVN core" podría ejecutar consultas SQL arbitrarias. • https://github.com/Enalean/tuleap/commit/ab12b686ced4cf233d3b15b08da008e0553eb6a6 https://github.com/Enalean/tuleap/security/advisories/GHSA-6462-gfv9-jf83 https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=ab12b686ced4cf233d3b15b08da008e0553eb6a6 https://tuleap.net/plugins/tracker/?aid=16213 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2021-41155 – SQL injection in CVS revisions browser
https://notcve.org/view.php?id=CVE-2021-41155
Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In affected versions Tuleap does not sanitize properly user inputs when constructing the SQL query to browse and search revisions in the CVS repositories. The following versions contain the fix: Tuleap Community Edition 11.17.99.146, Tuleap Enterprise Edition 11.17-5, Tuleap Enterprise Edition 11.16-7. Tuleap es una Suite Libre y de Código Abierto para mejorar la administración de desarrolladores de software y colaboración. En las versiones afectadas Tuleap no sanea apropiadamente las entradas del usuario cuando construye la consulta SQL para navegar y buscar revisiones en los repositorios CVS. • https://github.com/Enalean/tuleap/commit/ff75f2899c60a4546ee2d532e68a3febd07bdd14 https://github.com/Enalean/tuleap/security/advisories/GHSA-f8jp-hx4q-wxvr https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=ff75f2899c60a4546ee2d532e68a3febd07bdd14 https://tuleap.net/plugins/tracker/?aid=16214 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2021-41148 – The update of the CI job targeted by a widget is vulnerable to blind SQL injections
https://notcve.org/view.php?id=CVE-2021-41148
Tuleap Open ALM is a libre and open source tool for end to end traceability of application and system developments. Prior to version 11.16.99.173 of Community Edition and versions 11.16-6 and 11.15-8 of Enterprise Edition, an attacker with the ability to add one the CI widget to its personal dashboard could execute arbitrary SQL queries. Tuleap Community Edition 11.16.99.173, Tuleap Enterprise Edition 11.16-6, and Tuleap Enterprise Edition 11.15-8 contain a patch for this issue. Tuleap Open ALM es una herramienta libre y de código abierto para la trazabilidad de extremo a extremo de los desarrollos de aplicaciones y sistemas. En versiones anteriores a 11.16.99.173 de Community Edition y versiones 11.16-6 y 11.15-8 de Enterprise Edition, un atacante con la capacidad de añadir un widget de CI a su tablero personal podía ejecutar consultas SQL arbitrarias. • https://github.com/Enalean/tuleap/commit/91535add59f4b3a04b6b8eab123c002cd5af180d https://github.com/Enalean/tuleap/security/advisories/GHSA-3c4q-8c35-cp63 https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=91535add59f4b3a04b6b8eab123c002cd5af180d https://tuleap.net/plugins/tracker/?aid=15028 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 1CVE-2021-41147 – SQL injection in the planning edition panel
https://notcve.org/view.php?id=CVE-2021-41147
Tuleap Open ALM is a libre and open source tool for end to end traceability of application and system developments. Prior to version 11.16.99.173 of Community Edition and versions 11.16-6 and 11.15-8 of Enterprise Edition, an attacker with admin rights in one agile dashboard service can execute arbitrary SQL queries. Tuleap Community Edition 11.16.99.173, Tuleap Enterprise Edition 11.16-6, and Tuleap Enterprise Edition 11.15-8 contain a patch for this issue. Tuleap Open ALM es una herramienta libre y de código abierto para la trazabilidad de extremo a extremo de los desarrollos de aplicaciones y sistemas. En versiones anteriores a 11.16.99.173 de Community Edition y versiones 11.16-6 y 11.15-8 de Enterprise Edition, un atacante con derechos de administrador en un servicio de tablero ágil puede ejecutar consultas SQL arbitrarias. • https://github.com/Enalean/tuleap/commit/d6b2f8b8c5098938bc094726a4826479ddbee941 https://github.com/Enalean/tuleap/security/advisories/GHSA-j2mq-65wv-prmp https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=d6b2f8b8c5098938bc094726a4826479ddbee941 https://tuleap.net/plugins/tracker/?aid=15131 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2021-41142 – XSS via the name of a deleted attachment
https://notcve.org/view.php?id=CVE-2021-41142
Tuleap Open ALM is a libre and open source tool for end to end traceability of application and system developments. There is a cross-site scripting vulnerability in Tuleap Community Edition prior to 12.11.99.25 and Tuleap Enterprise Edition 12.11-2. A malicious user with the capability to add and remove attachment to an artifact could force a victim to execute uncontrolled code. Tuleap Community Edition 11.17.99.146 and Tuleap Enterprise Edition 12.11-2 contain a fix for the issue. Tuleap Open ALM es una herramienta libre y de código abierto para la trazabilidad de extremo a extremo de los desarrollos de aplicaciones y sistemas. • https://github.com/Enalean/tuleap/commit/d6c837ed6fa66d319175954a42f93d4d86745208 https://github.com/Enalean/tuleap/security/advisories/GHSA-p3j6-6h9h-34r5 https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=d6c837ed6fa66d319175954a42f93d4d86745208 https://tuleap.net/plugins/tracker/?aid=22570 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •