Tuleap Cross-Site Scripting Vulnerability in Artifact Link Display

A cross-site scripting (XSS) vulnerability has been identified in Tuleap, affecting both the Community and Enterprise Editions. In versions prior to Tuleap Community Edition 16.9.99.1751892857 and Tuleap Enterprise Edition 16.8-5 and 16.9-3, malicious users could exploit this vulnerability by injecting harmful code into certain artifacts. When the children of a parent artifact were displayed, this injected code could be executed by unsuspecting users. The issue has been addressed in the latest versions of both editions.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, create an artifact with a parent in a tracker that does not use the unified artifact link field. Add a child to the parent artifact, then change your real name to include an image tag with an 'onerror' event. Finally, open the children list on the artifact view to trigger the XSS payload.

Remediation

Users can upgrade to Tuleap Community Edition 16.9.99.1751892857 or Tuleap Enterprise Edition 16.9-3 or 16.8-5 to address this vulnerability.