Tuleap does not properly check the CSRF challenge when the form allowing a user to change his email is submitted.
An attacker could use this vulnerability to successfully take over a victim's account. Tuleap instances relying on LDAP authentication without the "LDAP write" feature are not impacted by the issue as the email change is not managed by Tuleap.
CVSSv3 score: 8.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
This vulnerability has been found and reported by @mustafaran on the Eclipse Fundation bug tracker.
bugs.eclipse.org: Bug 531434: CSRF vulnerability in tuleap.eclipse.org that can be used to takeover accounts
Cross-Site Request Forgery - OWASP