CVE-2017-7981

Name of the Vulnerable Software and Affected Versions Tuleap versions prior to 9.7 PhpWiki versions prior to 1.5.5

Description The issue allows command injection via the PhpWiki 1.3.10 SyntaxHighlighter plugin in the Project Wiki component. This occurs because the proc open PHP function is used with a syntax value in its first argument, which can be controlled by an authenticated Tuleap user, including shell metacharacters. For example, a line like '<?plugin SyntaxHighlighter syntax=c;id>' can be used to execute the id command.

Recommendations For Tuleap versions prior to 9.7, update to version 9.7 or later. For PhpWiki versions prior to 1.5.5, update to version 1.5.5 or later. As a temporary workaround, consider disabling the SyntaxHighlighter plugin until a patch is available.