Description	Shortcut
Open this window	`?`
Open the "+ New" dropdown	`c`
Go to personal dashboard	`d`
Open the "Switch to..." modal	`/` / `s`

Description	Shortcut
Focus first sidebar service	`shift + g`
Go to Test Management	`g + e`
Go to Trackers	`g + t`
Go to Git	`g + i`
Go to Documents	`g + d`
Go to Backlog	`g + b`
Go to Kanban	`g + k`

request #42231 Missing CSRF protection on tracker hierarchy administration

Infos

Artifact ID#42231

Submitted byJoris MASSON (jmasson)

Last Modified On2025-03-31 10:16

Submitted on2025-03-17 19:13

Rank43907

Details

Summary *

Missing CSRF protection on tracker hierarchy administration

Original Submission

In the administration of a Tracker, in the "Tracker hierarchy", there is no CSRF protection when choosing the list of children trackers.

Impact

An attacker could use this vulnerability to trick victims into changing the hierarchy of a tracker.

CVSSv3.1 score: 4.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L)

References

CWE 352
Cross-Site Request Forgery - OWASP
CVE-2025-29929

CategoryTrackers

Reported in versionAll

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toJoris MASSON (jmasson)

StatusClosed

Close date2025-03-18

Attachments

Connected artifacts

Artifact links

By type:
Fixed in
Trackers:
Releases

	Artifact ID	Project	Tracker	Summary	Status	Last Update Date	Submitted By	Assigned to
	rel #41092	Tuleap	Releases	16.6	Delivered	2025-03-26 17:54	Manuel Vacelet (vaceletm)

Reverse artifact links

By type:
Trackers:

Empty

AttachmentsEmpty

References

Cross references

Referencing request #42231

Git commit

tuleap/tuleap/stable

fix: request #42231 Missing CSRF protection on tracker hierarchy administration dce61747f3

Joris MASSON (jmasson) , 20 days ago

Merge commit 'refs/changes/46/33846/3' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD c2e5a2996b

Marie Ange Garnier (marieange) , 20 days ago

Show items referenced by request #42231

Referenced by request #42231

Artifact Tracker v5

rel #41092 16.6

Git commit

tuleap/tuleap/stable

fix: request #42231 Missing CSRF protection on tracker hierarchy administration dce61747f3

Joris MASSON (jmasson) , 20 days ago

Other

gerrit #33846

Follow-ups

Thomas Gerbet (tgerbet)

7 days ago

Public disclosure.

Thomas Gerbet (tgerbet)

10 days ago

CVE-2025-29929 has been assigned to this issue.

Original Submission

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes

Marie Ange Garnier (marieange)

20 days ago

Connected artifacts
- Added Fixed in: rel #41092

Tracker Workflow Manager (forge__tracker_workflow_manager)

20 days ago

request fixed by @jmasson with git #tuleap/stable/dce61747f3a169da1f6b585ad5e6e0847fa3c950.

Status changed from Under review to Closed
Close date set to 2025-03-18

Joris MASSON (jmasson)

20 days ago

See gerrit #33846

Status changed from Under implementation to Under review

Joris MASSON (jmasson)

20 days ago

Original Submission

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes

Galleries

Public

Impact

References

Artifact links

Releases

Fixed in

Reverse artifact links

Referencing request #42231

Git commit

tuleap/tuleap/stable

Referenced by request #42231

Artifact Tracker v5

Git commit

tuleap/tuleap/stable

Other

Follow-ups