A XSS payload can be injected in a file stored in a SVN repository. When this file is accessed directly with a browser, a XSS could be triggered without the Content Security Policy.
A malicious user with the ability to commit files in a SVN repository could use this vulnerability to force a victim to execute uncontrolled code. However a successful exploitation requires to bypass the strict CSP policy (introduced for the ongoing work in request #17967) which seems unlikely on any of the browsers supported by Tuleap. It should however be noted that Internet Explorer does not support the Content Security Policy header (at least not in any meaningful way) so the impact is bigger for old Tuleap versions.
CVSSv3.1 score: 4.4 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N)
Create a new SVN repository, commit a file named index.html into it with the following content: <html><body><script>alert(1)</script></body></html>
Access this file directly with your browser. There are at least two ways to do it:
- access the repo URL with your browser and browse it: https://<tuleap_instance>/svnplugin/<project_name>/<repo_name>/index.html
- access the file with your browser in the same way a SVN client does: https://<tuleap_instance>/svnplugin/<project_name>/<repo_name>/!svn/rvr/1/index.html
In both cases, if you check your browser console you will see errors about the content security policy.
OWASP Cross-site Scripting