Nicolas Terray

9 exploits Active since Jun 2022
CVE-2022-31063 WRITEUP MEDIUM WRITEUP
Tuleap <13.9.99.111 - Code Injection
Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In versions prior to 13.9.99.111 the title of a document is not properly escaped in the search result of MyDocmanSearch widget and in the administration page of the locked documents. A malicious user with the capability to create a document could force victim to execute uncontrolled code. Users are advised to upgrade. There are no known workarounds for this issue.
CVSS 6.5
CVE-2023-23938 WRITEUP MEDIUM WRITEUP
Tuleap 13.8.99.4-14.4.7 and 14.5.99.4 - Authenticated Stored Cross-Site Scripting in Tracker Color Name
Tuleap is a Free & Source tool for end to end traceability of application and system developments. Affected versions are subject to a cross site scripting attack which can be injected in the name of a color of select box values of a tracker and then reflected in the tracker administration. Administrative privilege is required, but an attacker with tracker administration rights could use this vulnerability to force a victim to execute uncontrolled code in the context of their browser. This issue has been addressed in Tuleap Community Edition version 14.5.99.4. Users are advised to upgrade. There are no known workarounds for this issue.
CVSS 5.9
CVE-2023-30619 WRITEUP MEDIUM WRITEUP
Tuleap 14.7.99.76-14.7.99.143 - Cross-Site Scripting in Artifact Title Tooltip
Tuleap Open ALM is a Libre and Open Source tool for end to end traceability of application and system developments. The title of an artifact is not properly escaped in the tooltip. A malicious user with the capability to create an artifact or to edit a field title could force victim to execute uncontrolled code. This issue has been patched in version 14.7.99.143.
CVSS 5.4
CVE-2024-23344 WRITEUP MEDIUM WRITEUP
Tuleap < 15.3.5 and 15.2.99.49-15.4.99.140 - Exposure of Sensitive Information via Permission Validation Bypass
Tuleap is an Open Source Suite to improve management of software developments and collaboration. Some users might get access to restricted information when a process validates the permissions of multiple users (e.g. mail notifications). This issue has been patched in version 15.4.99.140 of Tuleap Community Edition.
CVSS 5.3
CVE-2024-47767 WRITEUP MEDIUM WRITEUP
Tuleap <15.13.99.113, <15.13-5, <15.12-5 - Info Disclosure
Tuleap is a tool for end to end traceability of application and system developments. Prior to Tuleap Community Edition 15.13.99.113, Tuleap Enterprise Edition 15.13-5, and Tuleap Enterprise Edition 15.12-5, users might see tracker names they should not have access to. Tuleap Community Edition 15.13.99.113, Tuleap Enterprise Edition 15.13-5, and Tuleap Enterprise Edition 15.12-8 fix this issue.
CVSS 4.3
CVE-2024-52599 WRITEUP MEDIUM WRITEUP
Tuleap < 16.0-7 and < 16.1.99.50 - Stored Cross-Site Scripting via Gantt Chart Artifact
Tuleap is an open source suite to improve management of software developments and collaboration. In Tuleap Community Edition prior to version 16.1.99.50 and Tuleap Enterprise Edition prior to versions 16.1-4 and 16.0-7, a malicious user with the ability to create an artifact in a tracker with a Gantt chart could force a victim to execute uncontrolled code. Tuleap Community Edition 16.1.99.50, Tuleap Enterprise Edition 16.1-4, and Tuleap Enterprise Edition 16.0-7 contain a fix.
CVSS 5.4
CVE-2025-64117 WRITEUP MEDIUM WRITEUP
Tuleap < 16.13.99.1761813675 / Enterprise < 16.13-5/16.12-8 - Cross-Site Request Forgery
Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap Community Edition prior to version 16.13.99.1761813675 and Tuleap Enterprise Edition prior to versions 16.13-5 and 16.12-8 don't have cross-site request forgery protection in the management of SVN commit rules and immutable tags. An attacker could use this vulnerability to trick victims into changing the commit rules or immutable tags of a SVN repo. Tuleap Community Edition 16.13.99.1761813675, Tuleap Enterprise Edition 16.13-5, and Tuleap Enterprise Edition 16.12-8 contain a fix for the issue.
CVSS 4.6
CVE-2025-64498 WRITEUP MEDIUM WRITEUP
Tuleap < 16.12-10, < 17.0.99.1762444754 - Cross-Site Request Forgery
Tuleap is an Open Source Suite for management of software development and collaboration. Tuleap Community Edition versions below 17.0.99.1762444754 and Tuleap Enterprise Edition versions prior to 17.0-2, 16.13-7 and 16.12-10 allow attackers trick victims into changing tracker general settings. This issue is fixed in version Tuleap Community Edition version 17.0.99.1762444754 and Tuleap Enterprise Edition versions 17.0-2, 16.13-7 and 16.12-10.
CVSS 4.6
CVE-2025-65962 WRITEUP MEDIUM WRITEUP
Tuleap <17.0.99.1763803709, <17.0-4, <16.13-9 - CSRF
Tuleap is a free and open source suite for management of software development and collaboration. Versions of Tuleap Community Edition prior to 17.0.99.1763803709 and Tuleap Enterprise Edition versions prior to 17.0-4 and 16.13-9 are mission CSRF protections in its tracker field dependencies, allowing attackers to modify tracker fields. This issue is fixed in Tuleap Community Edition version 17.0.99.1763803709 and Tuleap Enterprise Edition versions 17.0-4 and 16.13-9.
CVSS 4.6