CVE-2023-32072

Tuleap is an open source tool for end to end traceability of application and system developments. Tuleap Community Edition prior to version 14.8.99.60 and Tuleap Enterprise edition prior to 14.8-3 and 14.7-7, the logs of the triggered Jenkins job URLs are not properly escaped. A malicious Git...

CVE-2023-32072 Tuleap vulnerable toXSS via the triggered job URL of a Jenkins job

Tuleap is an open source tool for end to end traceability of application and system developments. Tuleap Community Edition prior to version 14.8.99.60 and Tuleap Enterprise edition prior to 14.8-3 and 14.7-7, the logs of the triggered Jenkins job URLs are not properly escaped. A malicious Git...

CVE-2023-30619

Tuleap Open ALM is a Libre and Open Source tool for end to end traceability of application and system developments. The title of an artifact is not properly escaped in the tooltip. A malicious user with the capability to create an artifact or to edit a field title could force victim to execute...

CVE-2023-30619 XSS in the tooltip via an artifact title

Tuleap Open ALM is a Libre and Open Source tool for end to end traceability of application and system developments. The title of an artifact is not properly escaped in the tooltip. A malicious user with the capability to create an artifact or to edit a field title could force victim to execute...

CVE-2023-30619 XSS in the tooltip via an artifact title

Tuleap Open ALM is a Libre and Open Source tool for end to end traceability of application and system developments. The title of an artifact is not properly escaped in the tooltip. A malicious user with the capability to create an artifact or to edit a field title could force victim to execute...

CVE-2023-23938

CVE-2023-23938 describes a cross-site scripting (XSS) vulnerability in Tuleap. Affected: Tuleap Community Edition and related builds prior to version 14.5.99.4. The issue arises when the name of a color used for values in a tracker’s select box is reflected in the tracker administration page, ena...

SUSE CVE-2020-5291

Bubblewrap bwrap before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the bwrap --userns2 option can be used to make the setuid process keep running as root while being traceable. This can in turn be used to gain root permissions. Note that...

Comprehensive Traceability for Android Supply-Chain Security

We discuss the importance of traceability in the world of mobile operating systems...

Code injection

Tuleap is a Libre and Open Source tool for end to end traceability of application and system developments. In affected versions Tuleap does not sanitize properly the search filter built from the ldapid attribute of a user during the daily synchronization. A malicious user could force accounts to ...

The-Bastion - Authentication, Authorization, Traceability And Auditability For SSH Accesses

Bastions are a cluster of machines used as the unique entry point by operational teams such as sysadmins, developers, database admins, ... to securely connect to devices servers, virtual machines, cloud instances, network equipment, ..., usually using ssh. Bastions provides mechanisms for...

SQL Injection Vulnerability in Traceability Management System of Heilongjiang Ligao Technology Co.

Heilongjiang Ligao Technology Co., Ltd. is the only total solution provider in the industry. A SQL injection vulnerability exists in the traceability management system of Heilongjiang Ligao Technology Co., Ltd. and can be exploited by attackers to obtain sensitive information from the database...

WhatsApp’s Fight With India Has Global Implications

The country’s “traceability” requirement would undermine the privacy of the encrypted messaging app’s users far beyond its borders...

WhatsApp Sues Indian Government Over New Internet Regulations

WhatsApp on Wednesday fired a legal salvo against the Indian government to block new regulations that would require messaging apps to trace the "first originator" of messages shared on the platform, thus effectively breaking encryption protections. "Requiring messaging apps to 'trace' chats is th...

Information Disclosure Vulnerability in Advanced Threat Hunting and Traceability System

Advanced Threat Hunting and Traceability System is an advanced threat hunting and traceability system based on deception defense with an information leakage vulnerability that can be exploited by attackers to obtain sensitive information...

It’s Cybersecurity Awareness Month and there is still a lot to do

October is National Cyber Security Awareness Month NCSAM. And there is still a lot to do! For the last 17 years, the National Cybersecurity Awareness Month NCSAM campaign, driven by the Department of Homeland Security, has raised awareness about the importance of cyber security across the Nation...

SQL Injection Vulnerability in Food Traceability Platform of Henan Zhuqi Information Technology Co.

Food Traceability Platform is a third-party information service platform registered and operated by Henan Zhuoqi Information Technology Co., Ltd. with the participation of government regulators for supervision, food enterprises for cooperation, and consumers for comprehensive and fair inquiry of...

Z.Z.AI.Sup.Ps. and Produce Traceability Platforms Have Logic Flaw Vulnerabilities

Hangzhou Zhaozhen Network Technology Co., Ltd. is a high-tech enterprise engaged in on-demand customized application software development and mobile Internet application software development. Z.Z.AI.Sup.Ps. and Agricultural Products Traceability Platform has a logic flaw vulnerability that can be...

Principles of a Cloud Migration – Security, The W5H – Episode WHAT?

Teaching you to be a Natural Born Pillar! Last week, we took you through the “WHO” of securing a cloud migration here, detailing each of the roles involved with implementing a successful security practice during a cloud migration. Read: everyone. This week, I will be touching on the “WHAT” of...

Vital infrastructure: securing our food and agriculture

I don’t expect to hear any arguments on whether the production of our food is important or not. So why do we hardly ever hear anything about the cybersecurity in the food and agriculture sector? Depending on the country, agriculture makes up about 5 percent of the gross domestic product. That...

A week in security (March 26 – April 01)

Last week, we looked at the thought process behind creating a ransomware decryptor, the inner workings of QuantLoader, the ways one can protect their Android devices, the exploit kits we have encountered this winter, the now-known epidemic of data breaches, the coming of TLS 1.3, and the ways one...