Tuleap does not sanitize properly user settings when constructing the SQL query to browse and search commits in the CVS repositories.
A authenticated malicious user with read access to a CVS repository could execute arbitrary SQL queries.
CVSSv3.1 score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
- Go to a project with a CVS service
- Set the user preferences
commits_browcust<project_id> to something like
- Go to
- Take a look at the executed query/MySQL warnings
OWASP SQL Injection