Tuleap does not sanitize properly user inputs when constructing SQL queries in widgets management area.
Impact
An authenticated attacker could execute arbitrary SQL queries.
CVSSv3 score: 8.8 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Proof of concept
One of the possible way to demonstrate the vulnerability is to go the update layout page (My Personal Page -> Customize widgets -> Customize layout) and to intercept the update request/modify the form to set the parameter layout_id to something like 1 OR SLEEP(50) #, if the vulnerability is present the request will take a long time to be processed by the database.
References
https://cwe.mitre.org/data/definitions/89.html
https://www.owasp.org/index.php/SQL_Injection
Credit
Thanks to Mehmet Ince from PRODAFT for having disclosed responsibly this vulnerability.