CVE-2025-27402

Published: Mar 4, 2025Modified: Aug 22, 2025

4.6

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

Exploitability: 2.1 / Impact: 2.5

Source: security-advisories@github.com (Secondary)

Description

Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap is missing CSRF protections on tracker fields administrative operations. An attacker could use this vulnerability to trick victims into removing or updating tracker fields. This vulnerability is fixed in Tuleap Community Edition 16.4.99.1740414959 and Tuleap Enterprise Edition 16.4-6 and 16.3-11.

Affected (3)

Products: Enalean: Tuleap

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Enalean Tuleap	Before 16.4.99.1740414959
Enalean Tuleap	Before 16.3-11
Enalean Tuleap	From 16.4 to 16.4-6

Related CWEs

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (3)

https://github.com/Enalean/tuleap/commit/ea6319e2ad40beeda335af4ccd7a204a6912765c

Source: security-advisories@github.com

Patch

https://github.com/Enalean/tuleap/security/advisories/GHSA-66pg-cpjf-2mfg

Source: security-advisories@github.com

PatchThird Party Advisory

https://tuleap.net/plugins/tracker/?aid=41857

Source: security-advisories@github.com

Issue TrackingVendor Advisory

Timeline

No history available yet.