CVE-2024-52599: Tuleap vulnerable to XSS in the Gantt chart of the tracker plugin

5.4 CVSS

Description

Tuleap is an open source suite to improve management of software developments and collaboration. In Tuleap Community Edition prior to version 16.1.99.50 and Tuleap Enterprise Edition prior to versions 16.1-4 and 16.0-7, a malicious user with the ability to create an artifact in a tracker with a Gantt chart could force a victim to execute uncontrolled code. Tuleap Community Edition 16.1.99.50, Tuleap Enterprise Edition 16.1-4, and Tuleap Enterprise Edition 16.0-7 contain a fix.

Classification

CVE ID: CVE-2024-52599

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.4

Affected Products

Vendor: Enalean

Product: tuleap

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 17.81% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://github.com/Enalean/tuleap/security/advisories/GHSA-489c-fm2j-qjw7
https://github.com/Enalean/tuleap/commit/d3686ab152b6f64ff835e7dd3c99d97b36a9d4d5
https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=d3686ab152b6f64ff835e7dd3c99d97b36a9d4d5
https://tuleap.net/plugins/tracker/?aid=40459

Timeline

2024-12-10 00:31:41 UTC
CVE

Tuleap vulnerable to XSS in the Gantt chart of the tracker plugin