request #45618 Missing CSRF protections in the management of tracker triggers

Infos

Artifact ID#45618

Submitted byNicolas Terray (nterray)

Last Modified On2025-12-08 10:31

Submitted on2025-11-14 08:54

Rank47344

Details

Summary *

Missing CSRF protections in the management of tracker triggers

Original Submission

There is no CSRF protection when adding or removing a tracker trigger.

Impact

An attacker could use this vulnerability to trick victims into creating or removing a tracker trigger.
CVSSv3.1 score: 4.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L)

References

CWE 352
Cross-Site Request Forgery - OWASP
CVE-2025-64760

CategoryTrackers

Reported in versionAll

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toThomas Gerbet (tgerbet)

StatusClosed

Close date2025-11-14

Attachments

AttachmentsEmpty

References

Cross references

Referencing request #45618

Git commit

tuleap/tuleap/stable

fix: request #45618 Missing CSRF protections in the management of tracker triggers 71d427b0f7

Thomas Gerbet (tgerbet) , 2025-11-14 10:58

Merge commit 'refs/changes/73/36173/1' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD d98f38e9ef

Nicolas Terray (nterray) , 2025-11-14 14:29

Show items referenced by request #45618

Referenced by request #45618

Artifact

rel #45209 17.1

Git commit

tuleap/tuleap/stable

fix: request #45618 Missing CSRF protections in the management of tracker triggers 71d427b0f7

Thomas Gerbet (tgerbet) , 2025-11-14 10:58

Other

Follow-ups

Thomas Gerbet (tgerbet)

2025-12-08 10:31

Public disclosure.

Thomas Gerbet (tgerbet)

2025-11-14 16:40

CVE-2025-64760 has been assigned to this issue.

Original Submission

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes

Nicolas Terray (nterray)

2025-11-14 14:30

Connected artifacts
- Added Fixed in: rel #45209

Tracker Workflow Manager (forge__tracker_workflow_manager)

2025-11-14 14:30

request fixed by @tgerbet with git #tuleap/stable/71d427b0f7ed8fa269a5ee6f7a557cf3dfc99cd4.

Status changed from Under review to Closed
Close date set to 2025-11-14

Thomas Gerbet (tgerbet)

2025-11-14 10:59

See gerrit #36173.

Status changed from Under implementation to Under review

Thomas Gerbet (tgerbet)

2025-11-14 09:04

Summary
-~~Trigger deletion is not covered by~~ CSRF
+Missing CSRF protections in the management of tracker triggers
Original Submission

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes

Thomas Gerbet (tgerbet)

2025-11-14 08:59

Status changed from New to Under implementation
Assigned to changed from None to Thomas Gerbet (tgerbet)