A reflected XSS could be injected via the parameters status of the project list page in the site administration.
Impact
An attacker could use this vulnerability to force a victim to execute uncontrolled code.
CVSSv3 score: 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Exploitation
With a user having site administration rights, go to https://<tuleap_url>/admin/grouplist.php?status="><script>alert(1)</script>
If you a browser having good content security policy support, the vulnerability can be less easy to exploit.
References
https://cwe.mitre.org/data/definitions/79.html
https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
Credit
Thanks to Mehmet Ince from PRODAFT for having disclosed responsibly this vulnerability.