Thomas Gerbet

**Name of the Vulnerable Software and Affected Versions** Tuleap Community Edition versions prior to 16.10.99.1754050155 Tuleap Enterprise Edition versions prior to 16.9-8 Tuleap Enterprise Edition versions prior to 16.10-5 **Description** Tuleap is an Open Source Suite created to facilitate management of software development and collaboration. An attacker can access the content of special and always-there fields of accessible artifacts even if the associated permissions do not allow it. **Recommendations** Update Tuleap Community Edition to version 16.10.99.1754050155. Update Tuleap Enterprise Edition to version 16.9-8. Update Tuleap Enterprise Edition to version 16.10-5.

Name of the Vulnerable Software and Affected Versions: Tuleap Community Edition versions prior to 16.8.99.1748845907 Tuleap Enterprise Edition versions prior to 16.8-3 Tuleap Enterprise Edition versions prior to 16.7-5 Description: An attacker could use a vulnerability present in Tuleap to trick victims into changing the canned responses. Recommendations: For Tuleap Community Edition versions prior to 16.8.99.1748845907, update to version 16.8.99.1748845907 or later. For Tuleap Enterprise Edition versions prior to 16.8-3, update to version 16.8-3 or later. For Tuleap Enterprise Edition versions prior to 16.7-5, update to version 16.7-5 or later.

Name of the Vulnerable Software and Affected Versions: Tuleap Community Edition versions prior to 16.8.99.1749830289 Tuleap Enterprise Edition versions prior to 16.9-1 Description: The issue is a cross-site request forgery vulnerability that could be exploited by an attacker to trick victims into changing the canned responses. Recommendations: For Tuleap Community Edition versions prior to 16.8.99.1749830289, update to version 16.8.99.1749830289 or later. For Tuleap Enterprise Edition versions prior to 16.9-1, update to version 16.9-1 or later.

**Name of the Vulnerable Software and Affected Versions** Tuleap versions prior to 16.5.99.1741784483 Tuleap Enterprise Edition versions prior to 16.5-3 and 16.4-8 **Description** The issue is related to missing CSRF protections on artifact submission and edition from the tracker view. An attacker could exploit this to trick victims into submitting or editing artifacts or follow-up comments. **Recommendations** For Tuleap Community Edition versions prior to 16.5.99.1741784483, update to version 16.5.99.1741784483 or later. For Tuleap Enterprise Edition versions prior to 16.5-3, update to version 16.5-3 or later. For Tuleap Enterprise Edition version 16.4, update to version 16.4-8 or later.

**Name of the Vulnerable Software and Affected Versions** Tuleap Community Edition versions prior to 16.5.99.1742812323 Tuleap Enterprise Edition versions prior to 16.5-6 and 16.4-10 **Description** The issue allows an attacker to access release notes content or information via the FRS REST endpoints that they should not have access to. This is a problem related to access control in the Tuleap software suite, which is used for managing software developments and collaboration. **Recommendations** For Tuleap Community Edition versions prior to 16.5.99.1742812323, update to version 16.5.99.1742812323 or later. For Tuleap Enterprise Edition versions prior to 16.5-6, update to version 16.5-6 or later. For Tuleap Enterprise Edition versions prior to 16.4-10, update to version 16.4-10 or later. As a temporary workaround, consider restricting access to the FRS REST endpoints until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Tuleap versions prior to 16.5.99.1742562878 Tuleap Enterprise Edition versions prior to 16.5-5 and 16.4-8 **Description** The issue allows cross-site scripting (XSS) via the content of RSS feeds in the RSS widgets. A project administrator or someone with control over an used RSS feed could use this to force victims to execute uncontrolled code. **Recommendations** For Tuleap Community Edition versions prior to 16.5.99.1742562878, update to version 16.5.99.1742562878 or later. For Tuleap Enterprise Edition versions prior to 16.5-5, update to version 16.5-5 or later. For Tuleap Enterprise Edition versions prior to 16.4-8, update to version 16.4-8 or later.

**Name of the Vulnerable Software and Affected Versions** Tuleap versions prior to 16.4.99.1740492866 Tuleap Enterprise Edition versions prior to 16.4-6 and 16.3-11 **Description** The issue concerns the management of sensitive information, specifically the password for connecting to the Redis instance, which is not properly removed from system data archives generated by the `tuleap collect-system-data` command. These archives may be accessed by support teams, who should not have access to this password. **Recommendations** For Tuleap versions prior to 16.4.99.1740492866, update to version 16.4.99.1740492866 or later. For Tuleap Enterprise Edition versions prior to 16.4-6, update to version 16.4-6 or later. For Tuleap Enterprise Edition version 16.3, update to version 16.3-11 or later.

**Name of the Vulnerable Software and Affected Versions** Tuleap versions prior to 16.4.99.1740414959 Tuleap Enterprise Edition versions prior to 16.4-6 and 16.3-11 **Description** The issue is related to the lack of CSRF protections on tracker fields administrative operations in Tuleap. This allows an attacker to trick victims into removing or updating tracker fields. **Recommendations** For Tuleap Community Edition versions prior to 16.4.99.1740414959, update to version 16.4.99.1740414959 or later. For Tuleap Enterprise Edition versions prior to 16.4-6, update to version 16.4-6 or later. For Tuleap Enterprise Edition versions prior to 16.3-11, update to version 16.3-11 or later.

**Name of the Vulnerable Software and Affected Versions** Tuleap versions prior to 16.4.99.1740067916 Tuleap Enterprise Edition versions prior to 16.4-5 and 16.3-10 **Description** Tuleap is an Open Source Suite to improve management of software developments and collaboration. It allows cross-site scripting (XSS) via the tracker names used in the semantic timeframe deletion message. A tracker administrator with a semantic timeframe used by other trackers could use this issue to force other tracker administrators to execute uncontrolled code. **Recommendations** For Tuleap versions prior to 16.4.99.1740067916, update to Tuleap Community Edition 16.4.99.1740067916 or later. For Tuleap Enterprise Edition versions prior to 16.4-5, update to Tuleap Enterprise Edition 16.4-5 or later. For Tuleap Enterprise Edition versions prior to 16.3-10, update to Tuleap Enterprise Edition 16.3-10 or later. As a temporary workaround, consider restricting access to the tracker names used in the semantic timeframe deletion message until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Tuleap Community Edition versions prior to 16.3.99.1737562605 Tuleap Enterprise Edition versions prior to 16.3-5 Tuleap Enterprise Edition versions prior to 16.2-7 **Description** Tuleap is an Open Source Suite to improve management of software developments and collaboration. Users, possibly anonymous ones if the widget is used in the dashboard of a public project, might get access to artifacts they should not see. **Recommendations** For Tuleap Community Edition versions prior to 16.3.99.1737562605, upgrade to version 16.3.99.1737562605 or later. For Tuleap Enterprise Edition versions prior to 16.3-5, upgrade to version 16.3-5 or later. For Tuleap Enterprise Edition versions prior to 16.2-7, upgrade to version 16.2-7 or later.

**Name of the Vulnerable Software and Affected Versions** Tuleap Community Edition versions prior to 16.3.99.1736242932 Tuleap Enterprise Edition versions prior to 16.2-5 Tuleap Enterprise Edition versions prior to 16.3-2 **Description** An unauthorized user might get access to restricted information in affected versions of Tuleap. **Recommendations** For Tuleap Community Edition versions prior to 16.3.99.1736242932, upgrade to version 16.3.99.1736242932. For Tuleap Enterprise Edition versions prior to 16.2-5, upgrade to version 16.2-5. For Tuleap Enterprise Edition versions prior to 16.3-2, upgrade to version 16.3-2.

**Name of the Vulnerable Software and Affected Versions** Tuleap Community Edition versions prior to 15.13.99.37 Tuleap Enterprise Edition versions prior to 15.13-3 Tuleap Enterprise Edition version 15.12-6 and earlier **Description** The issue allows a site administrator to create an artifact link type with a forward label, enabling them to execute uncontrolled code or achieve content injection in a mail client. This affects Tuleap, a tool for end-to-end traceability of application and system developments. **Recommendations** For Tuleap Community Edition versions prior to 15.13.99.37, update to version 15.13.99.37 or later. For Tuleap Enterprise Edition versions prior to 15.13-3, update to version 15.13-3 or later. For Tuleap Enterprise Edition version 15.12-6 and earlier, update to a version later than 15.12-6.

**Name of the Vulnerable Software and Affected Versions** Tuleap Community Edition versions prior to 15.9.99.97 **Description** The issue allows users to see backlog items that they should not have access to. This is a problem related to the management of software developments and collaboration within the Tuleap Open Source Suite. **Recommendations** For versions prior to 15.9.99.97, update to Tuleap Community Edition version 15.9.99.97 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Tuleap Community Edition versions prior to 14.11.99.28 Tuleap Enterprise Edition versions prior to 14.10-6 Tuleap Enterprise Edition versions prior to 14.11-3 **Description** The issue arises from content not being properly escaped in the "card fields" of Tuleap, which can be seen in the kanban and PV2 apps. This can lead to an agile dashboard administrator being forced to execute uncontrolled code when deleting a kanban with a malicious label. **Recommendations** For Tuleap Community Edition versions prior to 14.11.99.28, update to version 14.11.99.28 or later. For Tuleap Enterprise Edition versions prior to 14.10-6, update to version 14.10-6 or later. For Tuleap Enterprise Edition versions prior to 14.11-3, update to version 14.11-3 or later.

**Name of the Vulnerable Software and Affected Versions** Tuleap Community Edition versions prior to 14.10.99.4 Tuleap Enterprise Edition versions prior to 14.10-2 and 14.9-5 **Description** The issue affects the display of content in "card fields" within the kanban and PV2 apps, where the content is not properly escaped. This could allow a malicious user with the capability to create an artifact or edit a field used as a card field to force a victim to execute uncontrolled code. **Recommendations** For Tuleap Community Edition versions prior to 14.10.99.4, update to version 14.10.99.4 or later. For Tuleap Enterprise Edition versions prior to 14.10-2, update to version 14.10-2 or later. For Tuleap Enterprise Edition versions prior to 14.9-5, update to version 14.9-5 or later.

**Name of the Vulnerable Software and Affected Versions** Tuleap versions prior to 14.9.99.63 **Description** The issue occurs when switching from a project visibility that allows restricted users to `Private without restricted`, where restricted users that are project administrators retain their access rights. These users can still access the project and perform some administration actions. **Recommendations** For versions prior to 14.9.99.63, upgrade to version 14.9.99.63 to resolve the issue. As a temporary workaround, consider restricting access to project administration actions for restricted users who were project administrators before the visibility switch, until the upgrade is applied.

**Name of the Vulnerable Software and Affected Versions** Tuleap Community Edition versions prior to 14.8.99.60 Tuleap Enterprise Edition versions prior to 14.8-3 Tuleap Enterprise Edition versions prior to 14.7-7 **Description** The issue concerns the improper escaping of logs of triggered Jenkins job URLs. A malicious Git administrator can set up a malicious Jenkins hook, potentially making a victim, also a Git administrator, execute uncontrolled code. **Recommendations** For Tuleap Community Edition versions prior to 14.8.99.60, update to version 14.8.99.60 or later. For Tuleap Enterprise Edition versions prior to 14.8-3, update to version 14.8-3 or later. For Tuleap Enterprise Edition versions prior to 14.7-7, update to version 14.7-7 or later.

**Name of the Vulnerable Software and Affected Versions** Tuleap Open ALM versions prior to 14.7.99.143 **Description** The title of an artifact is not properly escaped in the tooltip, allowing a malicious user with the capability to create an artifact or edit a field title to force a victim to execute uncontrolled code. A malicious user could exploit this issue by creating or editing an artifact with a specially crafted title. **Recommendations** For versions prior to 14.7.99.143, update to version 14.7.99.143 or later to resolve the issue. As a temporary workaround, consider restricting the ability to create or edit artifacts and field titles to trusted users until the update is applied.

**Name of the Vulnerable Software and Affected Versions** PdfBook extension versions 2.0.5 and earlier **Description** The issue allows command injection via an option. **Recommendations** For PdfBook extension versions 2.0.5 and earlier, update to a version after b07b6a64 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Tuleap versions prior to 14.2.99.104 Tuleap Community Edition version 14.2.99.104 Tuleap Enterprise Edition version 14.2-4 Tuleap Enterprise Edition version 14.1-5 **Description** Tuleap is an Open Source Suite to improve management of software developments and collaboration. In versions prior to 14.2.99.104, project level authorizations are not properly verified when accessing the project "homepage"/dashboards. Users not authorized to access a project may still be able to get some information provided by the widgets, such as the number of members or the content of the Notes widget. **Recommendations** For versions prior to 14.2.99.104, update to Tuleap Community Edition 14.2.99.104, Tuleap Enterprise Edition 14.2-4, or Tuleap Enterprise Edition 14.1-5 to resolve the issue. As a temporary workaround, consider restricting access to the project "homepage"/dashboards until the update is applied. Avoid using the widgets that provide sensitive information, such as the number of members or the content of the Notes widget, until the issue is resolved.