CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2024-47767 – Tuleap lists trackers in the quick add actions of the backlog without any permissions check
https://notcve.org/view.php?id=CVE-2024-47767
Tuleap is a tool for end to end traceability of application and system developments. Prior to Tuleap Community Edition 15.13.99.113, Tuleap Enterprise Edition 15.13-5, and Tuleap Enterprise Edition 15.12-5, users might see tracker names they should not have access to. Tuleap Community Edition 15.13.99.113, Tuleap Enterprise Edition 15.13-5, and Tuleap Enterprise Edition 15.12-8 fix this issue. • https://github.com/Enalean/tuleap/commit/16d9efccb2fad8e10343be2604e94c9058ef2c89 https://github.com/Enalean/tuleap/commit/e5ce81279766115dc0f126a11d6b5065b5db7eec https://github.com/Enalean/tuleap/commit/f89d7093d2c576ad5e2b35a6a096fcdaf563d1df https://github.com/Enalean/tuleap/security/advisories/GHSA-j342-v27q-329v https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=16d9efccb2fad8e10343be2604e94c9058ef2c89 https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=e5ce81279766115dc0f126a11d6b5065b5db7eec https://tuleap.net/plugins/git&#x • CWE-280: Improper Handling of Insufficient Permissions or Privileges •
CVSS: 4.9EPSS: 0%CPEs: 3EXPL: 0CVE-2024-47766 – Permissions are incorrectly verified for project administrators in the cross tracker search widget
https://notcve.org/view.php?id=CVE-2024-47766
Tuleap is a tool for end to end traceability of application and system developments. Prior to Tuleap Community Edition 15.13.99.110, Tuleap Enterprise Edition 15.13-5, and Tuleap Enterprise Edition 15.12-5, administrators of a project can access the content of trackers with permissions restrictions of project they are members of but not admin via the cross tracker search widget. Tuleap Community Edition 15.13.99.110, Tuleap Enterprise Edition 15.13-5, and Tuleap Enterprise Edition 15.12-8 fix this issue. • https://github.com/Enalean/tuleap/commit/529d11b70796589767dd27a40ebadf3eaf8f5674 https://github.com/Enalean/tuleap/security/advisories/GHSA-qfrh-fv84-93hx https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=529d11b70796589767dd27a40ebadf3eaf8f5674 https://tuleap.net/plugins/tracker/?aid=39736 • CWE-280: Improper Handling of Insufficient Permissions or Privileges •
CVSS: 4.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-46988 – Tuleap does not properly check permissions for email notifications in trackers
https://notcve.org/view.php?id=CVE-2024-46988
Tuleap is a tool for end to end traceability of application and system developments. Prior to Tuleap Community Edition 15.13.99.40, Tuleap Enterprise Edition 15.13-3, and Tuleap Enterprise Edition 15.12-6, users might receive email notification with information they should not have access to. Tuleap Community Edition 15.13.99.40, Tuleap Enterprise Edition 15.13-3, and Tuleap Enterprise Edition 15.12-6 fix this issue. • https://github.com/Enalean/tuleap/security/advisories/GHSA-g76g-hc92-96xw https://tuleap.net/plugins/tracker/?aid=39686 • CWE-280: Improper Handling of Insufficient Permissions or Privileges •
CVSS: 4.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-46980 – Tuleap vulnerable to XSS in the HTML mail content of the cross reference field
https://notcve.org/view.php?id=CVE-2024-46980
Tuleap is a tool for end to end traceability of application and system developments. Prior to Tuleap Community Edition 15.13.99.37, Tuleap Enterprise Edition 15.13-3, and Tuleap Enterprise Edition 15.12-6, a site administrator could create an artifact link type with a forward label allowing them to execute uncontrolled code (or at least achieve content injection) in a mail client. Tuleap Community Edition 15.13.99.37, Tuleap Enterprise Edition 15.13-3, and Tuleap Enterprise Edition 15.12-6 fix this issue. • https://github.com/Enalean/tuleap/commit/dd94a799982cd78ab06142008d745edf9e8fd494 https://github.com/Enalean/tuleap/security/advisories/GHSA-9fc9-47h6-82jj https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=dd94a799982cd78ab06142008d745edf9e8fd494 https://tuleap.net/plugins/tracker/?aid=39689 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39902 – Tuleap's recursive permissions to document manager folder are not properly applied
https://notcve.org/view.php?id=CVE-2024-39902
Tuleap is an open source suite to improve management of software developments and collaboration. Prior to Tuleap Community Edition 15.10.99.128 and Tuleap Enterprise Edition 15.10-6 and 15.9-8, the checkbox "Apply same permissions to all sub-items of this folder" in the document manager permissions modal is not taken into account and always considered as unchecked. In situations where the permissions are being restricted some users might still keep, incorrectly, the possibility to edit or manage items. Only change made via the web UI are affected, changes directly made via the REST API are not impacted. This vulnerability is fixed in Tuleap Community Edition 15.10.99.128 and Tuleap Enterprise Edition 15.10-6 and 15.9-8. • https://github.com/Enalean/tuleap/commit/580161e8a065fba30ca5ca1f6f1bdb4f4b1424bb https://github.com/Enalean/tuleap/security/advisories/GHSA-5jq5-vxmq-xrj7 https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=580161e8a065fba30ca5ca1f6f1bdb4f4b1424bb https://tuleap.net/plugins/tracker/?aid=38675 • CWE-281: Improper Preservation of Permissions •