PT-2023-26993 · Unknown · Tuleap Enterprise Edition+1
Tgerbet
+1
·
Published
2023-08-24
·
Updated
2023-08-30
·
CVE-2023-39521
CVSS v3.1
4.8
Medium
| Vector | AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Tuleap Community Edition versions prior to 14.11.99.28
Tuleap Enterprise Edition versions prior to 14.10-6
Tuleap Enterprise Edition versions prior to 14.11-3
Description
The issue arises from content not being properly escaped in the "card fields" of Tuleap, which can be seen in the kanban and PV2 apps. This can lead to an agile dashboard administrator being forced to execute uncontrolled code when deleting a kanban with a malicious label.
Recommendations
For Tuleap Community Edition versions prior to 14.11.99.28, update to version 14.11.99.28 or later.
For Tuleap Enterprise Edition versions prior to 14.10-6, update to version 14.10-6 or later.
For Tuleap Enterprise Edition versions prior to 14.11-3, update to version 14.11-3 or later.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Tuleap Community Edition
Tuleap Enterprise Edition