Primary

Context

Tuleap User Enumeration Vulnerability via Password Reset Form

Vulnerability

Patched

A user enumeration vulnerability has been identified in the Tuleap Open Source Suite, specifically in the Community Edition prior to version 16.9.99.1750843170 and the Enterprise Edition versions prior to 16.8-4 and 16.9-2. The issue arises in the forgot password form, which inadvertently allows for user enumeration by returning different error messages based on the existence of the user account.

Impact

Exploitation of this vulnerability allows for user enumeration, where an attacker can determine which usernames are registered on the platform.

Remediation

Users can upgrade to Tuleap Community Edition version 16.9.99.1750843170 or Tuleap Enterprise Edition versions 16.8-4 and 16.9-2 to address this vulnerability.

Added: Jul 29, 2025, 8:24 PM

Updated: Jul 29, 2025, 8:24 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

8.8

remediation

7.7

relevance

0.3

threat

3.2

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

8.8

remediation

7.7

relevance

0.3

threat

3.2

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Tuleap User Enumeration Vulnerability via Password Reset Form

Vulnerability

Impact

Remediation

Affected Products

Enalean Tuleap

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating