Lucene search

GitHub_MCVELIST:CVE-2021-41142

HistoryOct 14, 2021 - 4:05 p.m.

CVE-2021-41142 XSS via the name of a deleted attachment

2021-10-1416:05:13

CWE-79

GitHub_M

www.cve.org

cve-2021-41142

cross-site scripting

tuleap open alm

attachment vulnerability

uncontrolled code execution

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

33.0%

JSON

Tuleap Open ALM is a libre and open source tool for end to end traceability of application and system developments. There is a cross-site scripting vulnerability in Tuleap Community Edition prior to 12.11.99.25 and Tuleap Enterprise Edition 12.11-2. A malicious user with the capability to add and remove attachment to an artifact could force a victim to execute uncontrolled code. Tuleap Community Edition 11.17.99.146 and Tuleap Enterprise Edition 12.11-2 contain a fix for the issue.

CNA Affected

[
  {
    "product": "tuleap",
    "vendor": "Enalean",
    "versions": [
      {
        "status": "affected",
        "version": "< 12.11.99.25"
      },
      {
        "status": "affected",
        "version": ">= 12.11-1, < 12.11-2"
      }
    ]
  }
]

References

github.com/Enalean/tuleap/commit/d6c837ed6fa66d319175954a42f93d4d86745208

github.com/Enalean/tuleap/security/advisories/GHSA-p3j6-6h9h-34r5

tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=d6c837ed6fa66d319175954a42f93d4d86745208

tuleap.net/plugins/tracker/?aid=22570