request #32629 XSS in the card field of the agile dashboard apps

Artifact

Infos

Artifact ID#32629

Submitted byThomas Gerbet (tgerbet)

Last Modified On2023-07-24 09:14

Submitted on2023-06-21 13:40

Rank34219

Details

Summary *

XSS in the card field of the agile dashboard apps

Original Submission

Content displayed in the "card fields" (visible in the kanban and PV2 apps) is not properly escaped.

Impact

A malicious user with the capability to create an artifact or to edit a field used as a card field could force victim to execute uncontrolled code.
CVSSv3.1 score: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Exploitation

Have a kanban with a selectbox of users in a card field (e.g. a "Assigned to" field)
Set this field to a user having a realname like ""
Display the kanban

References

CWE 79
OWASP Cross-site Scripting
CVE-2023-35929

CategoryAgile Dashboard

Reported in versionAll

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toThomas Gerbet (tgerbet)

StatusClosed

Close date2023-06-22

Attachments

Connected artifacts

Artifact links

Releases

Fixed in

	Artifact ID	Project	Tracker	Summary	Status	Last Update Date	Submitted By	Assigned to
	rel #31540	Tuleap	Releases	14.11	Delivered	2023-18-07 16:04	Manuel Vacelet (vaceletm)

Reverse artifact links

Empty

AttachmentsEmpty

References

Cross references

Referencing request #32629

Git commit

tuleap/tuleap/stable

Fixes request #32629: XSS in the card field of the agile dashboard apps 0b2945fbd2

Thomas Gerbet (tgerbet) , 2023-06-22 11:19

Merge commit 'refs/changes/23/28823/5' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD 0c52f360b9

Joris MASSON (jmasson) , 2023-06-22 12:56

Show items referenced by request #32629

Referenced by request #32629

Artifact Tracker v5

rel #31540 14.11

Git commit

tuleap/tuleap/stable

Fixes request #32629: XSS in the card field of the agile dashboard apps 0b2945fbd2

Thomas Gerbet (tgerbet) , 2023-06-22 11:19

Other

gerrit #28823

Follow-ups

Thomas Gerbet (tgerbet)

2023-07-24 09:14

Public disclosure.

Thomas Gerbet (tgerbet)

2023-06-23 16:38

CVE-2023-35929 has been assigned to this issue.

Original Submission

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes

Joris MASSON (jmasson)

2023-06-22 12:58

gerrit #28823 integrated in Tuleap 14.10.99.4

Connected artifacts
- Added Fixed in: rel #31540

Tracker Workflow Manager (forge__tracker_workflow_manager)

2023-06-22 12:58

request fixed by @tgerbet with git #tuleap/stable/0b2945fbd260d37aa0aff2ca1c867d160f76188d.

Status changed from Under review to Closed
Close date set to 2023-06-22

Thomas Gerbet (tgerbet)

2023-06-21 13:57

See gerrit #28823.

Status changed from Under implementation to Under review