First published: Thu Apr 20 2023(Updated: )
Tuleap is a Free & Source tool for end to end traceability of application and system developments. Affected versions are subject to a cross site scripting attack which can be injected in the name of a color of select box values of a tracker and then reflected in the tracker administration. Administrative privilege is required, but an attacker with tracker administration rights could use this vulnerability to force a victim to execute uncontrolled code in the context of their browser. This issue has been addressed in Tuleap Community Edition version 14.5.99.4. Users are advised to upgrade. There are no known workarounds for this issue.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Enalean Tuleap | <14.4-7 | |
Enalean Tuleap | >=13.8.99.49<14.5.99.4 | |
Enalean Tuleap | >=14.5<14.5-2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-23938 is a vulnerability in Tuleap that allows for cross-site scripting attacks.
The severity of CVE-2023-23938 is medium with a CVSS score of 4.8.
CVE-2023-23938 affects certain versions of Tuleap, allowing for cross-site scripting attacks.
To fix CVE-2023-23938, it is recommended to update Tuleap to a patched version.
You can find more information about CVE-2023-23938 on the Tuleap GitHub page and the Tuleap security advisories page.