Cross-Site Scripting Vulnerability in Tuleap Software Development Suite
CVE-2025-27099

4.8MEDIUM

Key Information:

Vendor

Enalean

Status
Tuleap
Vendor
CVE Published:
3 March 2025

What is CVE-2025-27099?

Tuleap, an open-source software development suite, has a vulnerability that allows cross-site scripting (XSS) through the tracker names in semantic timeframe deletion messages. This flaw enables a tracker administrator to potentially execute malicious code on the systems of other administrators using valid semantic timeframes. The issue affects various versions of Tuleap but has been addressed in the latest releases for both Community and Enterprise editions.

Affected Version(s)

tuleap < 16.4.99.1740067916

References

https://github.com/Enalean/tuleap/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/Enalean/tuleap/commit/bec10bd5c98f6570...
x_refsource_MISC
https://tuleap.net/plugins/tracker/?aid=41858
x_refsource_MISC

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.