CVE-2025-27402

Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap is missing CSRF protections on tracker fields administrative operations. An attacker could use this vulnerability to trick victims into removing or updating tracker fields. This vulnerability is fixed in Tuleap Community Edition 16.4.99.1740414959 and Tuleap Enterprise Edition 16.4-6 and 16.3-11.

CVSS v3 4.6 MEDIUM

4.6^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/Enalean/tuleap/commit/ea6319e2ad40beeda335af4ccd7a204a6912765c	Patch
https://github.com/Enalean/tuleap/security/advisories/GHSA-66pg-cpjf-2mfg	Third Party Advisory Patch
https://tuleap.net/plugins/tracker/?aid=41857	Vendor Advisory Issue Tracking

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:enalean:tuleap:::::enterprise:::*
	cpe:2.3:a:enalean:tuleap:::::community:::*
	cpe:2.3:a:enalean:tuleap:::::enterprise:::*

History

22 Aug 2025, 15:37

Type	Values Removed	Values Added
First Time		Enalean Enalean tuleap
CPE		cpe:2.3:a:enalean:tuleap:::::enterprise:::* cpe:2.3:a:enalean:tuleap:::::community:::*
Summary		(es) Tuleap es una suite de código abierto para mejorar la gestión de los desarrollos de software y la colaboración. Tuleap carece de protecciones CSRF en las operaciones administrativas de los campos de seguimiento. Un atacante podría usar esta vulnerabilidad para engañar a las víctimas para que eliminen o actualicen los campos de seguimiento. Esta vulnerabilidad se ha corregido en Tuleap Community Edition 16.4.99.1740414959 y Tuleap Enterprise Edition 16.4-6 y 16.3-11.
References	~~() https://github.com/Enalean/tuleap/commit/ea6319e2ad40beeda335af4ccd7a204a6912765c -~~	() https://github.com/Enalean/tuleap/commit/ea6319e2ad40beeda335af4ccd7a204a6912765c - Patch
References	~~() https://github.com/Enalean/tuleap/security/advisories/GHSA-66pg-cpjf-2mfg -~~	() https://github.com/Enalean/tuleap/security/advisories/GHSA-66pg-cpjf-2mfg - Third Party Advisory, Patch
References	~~() https://tuleap.net/plugins/tracker/?aid=41857 -~~	() https://tuleap.net/plugins/tracker/?aid=41857 - Vendor Advisory, Issue Tracking

04 Mar 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-04 17:15

Updated : 2025-08-22 15:37

NVD link : CVE-2025-27402

Mitre link : CVE-2025-27402

CVE.ORG link : CVE-2025-27402

JSON object : View

Products Affected

enalean

tuleap

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

4.6 /10