Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #45593 Missing CSRF protections when updating tracker general settings
    Actions
    Infos
    #45593
    Nicolas Terray (nterray)
    2025-12-08 10:33
    2025-11-06 14:35
    47315
    Details
    Missing CSRF protections when updating tracker general settings

    The update of a tracker general settings is not protected against tracker general settings.

    Impact

    An attacker could use this vulnerability to trick victims into changing tracker general settings.
    CVSSv3.1 score: 4.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L)

    References

    CWE 352
    Cross-Site Request Forgery - OWASP
    CVE-2025-64498

    Trackers
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Nicolas Terray (nterray)
    Closed
    2025-11-06
    Attachments
    Empty
    References
    Referencing request #45593

    Git commit

    tuleap/tuleap/stable

    fix: request #45593: No CSRF check in tracker general settings 993316dd6a
    User avatar Nicolas Terray (nterray) , 2025-11-06 14:43
    Merge 'gerrit #36123' into stable/master 7cb6f5e9d8
    User avatar Thomas Gerbet (tgerbet) , 2025-11-06 16:58
    Display settings

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2025-11-12 09:56
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2025-11-06 16:54
    • Summary
      -No CSRF check in tracker general settings 
      +Missing CSRF protections when updating tracker general settings 
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes