CVE-2023-23938

Name of the Vulnerable Software and Affected Versions Tuleap versions prior to 14.5.99.4

Description The issue is a cross-site scripting attack that can be injected in the name of a color of select box values of a tracker and then reflected in the tracker administration. Administrative privilege is required, but an attacker with tracker administration rights could use this to force a victim to execute uncontrolled code in the context of their browser.

Recommendations For versions prior to 14.5.99.4, upgrade to Tuleap Community Edition version 14.5.99.4 to address the issue. As a temporary workaround, consider restricting access to the tracker administration to minimize the risk of exploitation.