request #45259 Missing CSRF protections in the File Release System

Infos

Artifact ID#45259

Submitted byNicolas Terray (nterray)

Last Modified On2025-11-12 10:13

Submitted on2025-11-03 16:01

Rank46982

Details

Summary *

Missing CSRF protections in the File Release System

Original Submission

Most actions of the File Release System are not protected against CSRFs.

Impact

An attacker could use this vulnerability to trick victims into doing most actions offered by the FRS.
CVSSv3.1 score: 4.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L)

References

CWE 352
Cross-Site Request Forgery - OWASP
CVE-2025-64482

CategoryDelivery/File release system

Reported in versionAll

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toThomas Gerbet (tgerbet)

StatusClosed

Close date2025-11-04

Attachments

AttachmentsEmpty

References

Cross references

Referencing request #45259

Git commit

tuleap/tuleap/stable

fix: request #45259 Add missing CSRF protections in the FRS 899b5c1693

Thomas Gerbet (tgerbet) , 2025-11-04 11:46

Merge commit 'refs/changes/98/36098/1' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD 76db0444e7

Nicolas Terray (nterray) , 2025-11-04 15:41

Show items referenced by request #45259

Referenced by request #45259

Artifact

rel #44428 17.0

Git commit

tuleap/tuleap/stable

fix: request #45259 Add missing CSRF protections in the FRS 899b5c1693

Thomas Gerbet (tgerbet) , 2025-11-04 11:46

Other

Follow-ups

Thomas Gerbet (tgerbet)

2025-11-12 10:13

Public disclosure.

Manuel Vacelet (vaceletm)

2025-11-07 10:45

Connected artifacts
- Changed type from no type to Fixed in: rel #44428

Thomas Gerbet (tgerbet)

2025-11-07 08:53

CVE-2025-64482 has been assigned to this issue.

Original Submission

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes
Connected artifacts
- Added: rel #44428

Tracker Workflow Manager (forge__tracker_workflow_manager)

2025-11-04 15:42

request fixed by @tgerbet with git #tuleap/stable/899b5c1693324211947b72f2810ae8944e1bd0d5.

Status changed from Under review to Closed
Close date set to 2025-11-04

Thomas Gerbet (tgerbet)

2025-11-04 11:53

Summary
-Missing CSRF protections in ~~FRS~~
+Missing CSRF protections in the File Release System

Thomas Gerbet (tgerbet)

2025-11-04 11:50

See gerrit #36098

Summary
-Missing CSRF in FRS
+Missing CSRF protections in FRS
Original Submission

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes
Status changed from Verified to Under review

Thomas Gerbet (tgerbet)

2025-11-03 16:16

Category set to Delivery/File release system
Status changed from New to Verified
Assigned to changed from None to Thomas Gerbet (tgerbet)
Reported in version set to All