Enalean Tuleap
Moderate fix3 remedies
cpe:2.3:a:enalean:tuleap:*:*:*:*:*:*:*
Moderate fix3 remedies
- < 16.5.99.1742306712
- < 16.5-5
- < 16.4-8
Tuleap Missing CSRF Protection in Tracker Hierarchy Administration Vulnerability
Vulnerability
Patched
A vulnerability exists in Tuleap's tracker hierarchy administration due to the absence of Cross-Site Request Forgery (CSRF) protection. This flaw allows attackers to deceive users into modifying or adding artifacts and comments. The issue is present in Tuleap Community Edition versions prior to 16.5.99.1742306712 and Tuleap Enterprise Edition versions prior to 16.5-5 and 16.4-8.
Impact
Exploitation of this vulnerability could lead to unauthorized changes in the hierarchy of trackers, allowing for the manipulation of tracker relationships and dependencies.
Reproduction
To reproduce this vulnerability, access the tracker hierarchy administration without CSRF protection. This can be done by navigating to the 'admin-hierarchy' function of a tracker, where the vulnerability can be exploited by submitting a hierarchy update without the necessary CSRF token.
Remediation
Users can upgrade to Tuleap Community Edition 16.5.99.1742306712 or Tuleap Enterprise Edition 16.5-5 or 16.4-8 to address this vulnerability.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
3.1impact
0.6exploitability
6.0remediation
7.7relevance
0.0threat
4.8urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.