The title of an artifact is not properly escaped in the tooltip.
A malicious user with the capability to create an artifact or to edit a field title could force victim to execute uncontrolled code.
CVSSv3.1 score: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
The issue can be demonstrated by creating an artifact with a title like
<img src=a onerror=alert(1)> and then display the artifact in a tooltip (using a cross reference for example).
OWASP Cross-site Scripting
Issue has been introduced by git #tuleap/stable/b61c1f3ffad022fc7347973e5d3bc4c87f2c57dc (Tuleap 18.104.22.168)