Tuleap does not sanitize properly user inputs when constructing SQL queries for a tracker report when a criteria is a cross reference or a permissions on artifact field.
An attacker with access to a tracker report could execute arbitrary SQL queries.
CVSSv3 score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Using a select box bound to a user group, select None and use ) as the second sent value (intercept and modify the request to do it), you will get a DB error caused by the resulting broken query and the lack of proper escaping.
Thank you to Cristiano Maruti (@cmaruti) for reporting and coordinate with us the disclosure of this issue.