XSS in the tooltip via an artifact title

Moderate

LeSuisse published GHSA-7fm3-cr3g-5922

May 2, 2023

Package

Tuleap Community Edition (tuleap)

Affected versions

>= 14.7.99.76 && < 14.7.99.143

Patched versions

14.7.99.143

Description

The title of an artifact is not properly escaped in the tooltip.

Impact

A malicious user with the capability to create an artifact or to edit a field title could force victim to execute uncontrolled code.

Patches

The following version contain the fix:

Tuleap Community Edition 14.7.99.143

For more information

If you have any questions or comments about this advisory, reach out to us via the contact information provided on the Tuleap.org security page.

References

Severity

Moderate

5.4

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N