Lucene search

GitHub_MCVELIST:CVE-2023-30619

HistoryMay 04, 2023 - 1:35 p.m.

CVE-2023-30619 XSS in the tooltip via an artifact title

2023-05-0413:35:35

CWE-79

GitHub_M

www.cve.org

cve-2023-30619

xss

tooltip

artifact title

tuleap open alm

traceability

code execution

patch

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

40.1%

JSON

Tuleap Open ALM is a Libre and Open Source tool for end to end traceability of application and system developments. The title of an artifact is not properly escaped in the tooltip. A malicious user with the capability to create an artifact or to edit a field title could force victim to execute uncontrolled code. This issue has been patched in version 14.7.99.143.

CNA Affected

[
  {
    "vendor": "Enalean",
    "product": "tuleap",
    "versions": [
      {
        "version": " >= 14.7.99.76, < 14.7.99.143",
        "status": "affected"
      }
    ]
  }
]

References

github.com/Enalean/tuleap/commit/fdc93a736cbccad05de16ff0cc7cc3ef18dc93df

github.com/Enalean/tuleap/security/advisories/GHSA-7fm3-cr3g-5922

tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=fdc93a736cbccad05de16ff0cc7cc3ef18dc93df

tuleap.net/plugins/tracker/?aid=31586