Volerion logoVolerion
Volerion logoVolerion

Tuleap Missing Cross-Site Request Forgery Protections Allow Tracker Trigger Manipulation

Vulnerability

A vulnerability exists in Tuleap Community Edition versions prior to 17.0.99.1763126988 and Tuleap Enterprise Edition versions prior to 17.0-3 and 16.13-8. These versions lack adequate Cross-Site Request Forgery (CSRF) protections in the management of tracker triggers, enabling attackers to exploit this weakness by creating or removing tracker triggers on behalf of victims.

Impact

Exploitation of this vulnerability could lead to unauthorized creation or deletion of tracker triggers, potentially disrupting workflow management.

Reproduction

To reproduce this vulnerability, a user must be on an affected version of Tuleap. Once confirmed, an attacker can craft a request that exploits the missing CSRF protection, tricking the user into unintentionally adding or removing a tracker trigger.

Remediation

Users can upgrade to Tuleap Community Edition 17.0.99.1763126988 or Tuleap Enterprise Edition 17.0-3 or 16.13-8 to address this vulnerability.

Added: Dec 8, 2025, 11:18 PM
Updated: Dec 8, 2025, 11:18 PM

Vulnerability Rating

Custom Algorithm
spread
1.9
impact
0.6
exploitability
6.0
remediation
7.7
relevance
1.3
threat
4.8
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.