Headline
CVE-2023-30619: XSS in the tooltip via an artifact title
Tuleap Open ALM is a Libre and Open Source tool for end to end traceability of application and system developments. The title of an artifact is not properly escaped in the tooltip. A malicious user with the capability to create an artifact or to edit a field title could force victim to execute uncontrolled code. This issue has been patched in version 14.7.99.143.
Package
Tuleap Community Edition (tuleap)
Affected versions
>= 14.7.99.76 && < 14.7.99.143
Patched versions
14.7.99.143
Description
The title of an artifact is not properly escaped in the tooltip.
Impact
A malicious user with the capability to create an artifact or to edit a field title could force victim to execute uncontrolled code.
Patches
The following version contain the fix:
- Tuleap Community Edition 14.7.99.143
For more information
If you have any questions or comments about this advisory, reach out to us via the contact information provided on the Tuleap.org security page.
References
- request #31586: XSS in the tooltip via an artifact title
- fdc93a7
- https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=fdc93a736cbccad05de16ff0cc7cc3ef18dc93df