Tuleap does not sanitize properly user inputs when constructing the SQL query to retrieve data for the tracker reports.
An attacker with the capability to create a new tracker can execute arbitrary SQL queries.
CVSSv3.1 score: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Create a tracker with the attached tracker XML structure and try to display the column in a report.
OWASP SQL Injection