Tuleap creates a mailbox for each user with a format like <tuleap_username>@<domain_name> and redirect all the emails from this mailbox to the email defined by the user. This behavior can be abused by an evil user.
Impacts can be diverse and depend on the context in which the Tuleap instance is used.
An attacker could use this to help phishing campaigns by, for example, registering users like abuse, noreply or support.
An attacker can also use this to prove domain ownership and be able to get a certificate for the domain signed by a trusted CA. Domain control validation can be done over email .
CVSSv3 score: 9.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N)
 CA/Browser Forum Baseline Requirements section 184.108.40.206.4 [PDF]