Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #45592 Missing CSRF protections on planning management
    Actions
    Infos
    #45592
    Nicolas Terray (nterray)
    2025-12-08 10:32
    2025-11-06 14:08
    47314
    Details
    Missing CSRF protections on planning management

    Actions related to the management of agile dashboard plannings are not protected against CSRF.

    Impact

    An attacker could use this vulnerability to trick victims into creating/editing/removing plannings.
    CVSSv3.1 score: 4.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L)

    References

    CWE 352
    Cross-Site Request Forgery - OWASP
    CVE-2025-64499

    Agile Dashboard
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Thomas Gerbet (tgerbet)
    Closed
    2025-11-06
    Attachments
    Empty
    References
    Referencing request #45592

    Git commit

    tuleap/tuleap/stable

    fix: request #45592 Missing CSRF protections on planning management actions 1734a7bb29
    User avatar Thomas Gerbet (tgerbet) , 2025-11-06 18:41
    Merge commit 'refs/changes/25/36125/4' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD 78b91184c1
    User avatar Nicolas Terray (nterray) , 2025-11-06 20:21
    Display settings

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2025-11-12 09:57
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2025-11-07 11:07
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2025-11-06 14:14
    • Summary
      -No CSRF check in planning creation 
      +Missing CSRF protections on planning management 
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    • Status changed from New to Under implementation
    • Assigned to changed from None to Thomas Gerbet (tgerbet)