request #41858 XSS via the tracker names used in the semantic timeframe deletion message

Infos

Artifact ID#41858

Submitted byThomas Gerbet (tgerbet)

Last Modified On2025-03-03 09:32

Submitted on2025-02-20 16:26

Rank43526

Details

Summary *

XSS via the tracker names used in the semantic timeframe deletion message

Original Submission

The message explaining why a specific field cannot be removed when used by a semantic can contain unescaped information.

Impact

A tracker administrator with a semantic timeframe used by other trackers could use this vulnerability to force other tracker administrators to execute uncontrolled code.

CVSSv3.1 score: 4.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:L)

Exploitation

In 2 trackers have a semantic timeframe with one inherited from the other.
Rename the "source" tracker to something like "><script>alert(1)</script>, open the field administration of the other tracker.

References

CWE 79
OWASP Cross-site Scripting
CVE-2025-27099

CategoryTrackers

Reported in versionAll

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toThomas Gerbet (tgerbet)

StatusClosed

Close date2025-02-20

Attachments

Connected artifacts

Artifact links

Releases

Fixed in

	Artifact ID	Project	Tracker	Summary	Status	Last Update Date	Submitted By	Assigned to
	rel #41091	Tuleap	Releases	16.5	Delivered	2025-02-27 11:44	Manuel Vacelet (vaceletm)

Reverse artifact links

Empty

AttachmentsEmpty

References

Cross references

Referencing request #41858

Git commit

tuleap/tuleap/stable

fix: request #41858 XSS via the tracker names used in the semantic timeframe deletion message bec10bd5c9

Thomas Gerbet (tgerbet) , 2025-02-20 16:31

Merge commit 'refs/changes/66/33566/1' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD 5560b054c3

Marie Ange Garnier (marieange) , 2025-02-20 17:11

Show items referenced by request #41858

Referenced by request #41858

Artifact Tracker v5

rel #41091 16.5

Git commit

tuleap/tuleap/stable

fix: request #41858 XSS via the tracker names used in the semantic timeframe deletion message bec10bd5c9

Thomas Gerbet (tgerbet) , 2025-02-20 16:31

Other

gerrit #33566

Follow-ups

Thomas Gerbet (tgerbet)

2025-03-03 09:32

Public disclosure.

Thomas Gerbet (tgerbet)

2025-02-21 09:11

CVE-2025-27099 has been assigned to this issue.

Original Submission

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes

Marie Ange Garnier (marieange)

2025-02-20 17:12

Connected artifacts
- Added Fixed in: rel #41091

Tracker Workflow Manager (forge__tracker_workflow_manager)

2025-02-20 17:12

request fixed by @tgerbet with git #tuleap/stable/bec10bd5c98f6570a2857f55e9656eec4b211e6c.

Status changed from Under review to Closed
Close date set to 2025-02-20

Thomas Gerbet (tgerbet)

2025-02-20 16:32

See gerrit #33566.

Status changed from Under implementation to Under review