Nicolas Terray

**Name of the Vulnerable Software and Affected Versions** Tuleap Community Edition versions prior to 16.1.99.50 Tuleap Enterprise Edition versions prior to 16.1-4 Tuleap Enterprise Edition versions prior to 16.0-7 **Description** A malicious user with the ability to create an artifact in a tracker with a Gantt chart could force a victim to execute uncontrolled code. **Recommendations** For Tuleap Community Edition versions prior to 16.1.99.50, update to version 16.1.99.50 or later. For Tuleap Enterprise Edition versions prior to 16.1-4, update to version 16.1-4 or later. For Tuleap Enterprise Edition versions prior to 16.0-7, update to version 16.0-7 or later.

**Name of the Vulnerable Software and Affected Versions** Tuleap Community Edition versions prior to 15.4.99.140 **Description** Tuleap is an Open Source Suite to improve management of software developments and collaboration. Some users might get access to restricted information when a process validates the permissions of multiple users, such as during mail notifications. **Recommendations** For versions prior to 15.4.99.140, update to version 15.4.99.140 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive information and mail notifications until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Tuleap versions prior to 14.5.99.4 **Description** The issue is a cross-site scripting attack that can be injected in the name of a color of select box values of a tracker and then reflected in the tracker administration. Administrative privilege is required, but an attacker with tracker administration rights could use this to force a victim to execute uncontrolled code in the context of their browser. **Recommendations** For versions prior to 14.5.99.4, upgrade to Tuleap Community Edition version 14.5.99.4 to address the issue. As a temporary workaround, consider restricting access to the tracker administration to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Tuleap versions prior to 13.9.99.111 **Description** The issue arises from the improper escaping of a document's title in the search result of the MyDocmanSearch widget and in the administration page of locked documents. This could allow a malicious user, who has the capability to create a document, to force a victim to execute uncontrolled code. **Recommendations** For versions prior to 13.9.99.111, upgrade to a version that contains the fix for this issue. At the moment, there is no information about other mitigation measures for this issue.