Headline
CVE-2022-31063
Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In versions prior to 13.9.99.111 the title of a document is not properly escaped in the search result of MyDocmanSearch widget and in the administration page of the locked documents. A malicious user with the capability to create a document could force victim to execute uncontrolled code. Users are advised to upgrade. There are no known workarounds for this issue.
Package
Tuleap Community Edition (tuleap)
Affected versions
< 13.9.99.111
Patched versions
13.9.99.111
Tuleap Enterprise Edition (tuleap)
< 13.9-3
< 13.8-6
13.9-3
13.8-6
Description
The title of a document is not properly escaped in the search result of MyDocmanSearch widget and in the administration page of the locked documents.
Impact
A malicious user with the capability to create a document could force victim to execute uncontrolled code.
Patches
The following versions contain the fix:
- Tuleap Community Edition 13.9.99.111
- Tuleap Enterprise Edition 13.9-3
- Tuleap Enterprise Edition 13.8-6
For more information
If you have any questions or comments about this advisory, reach out to us via the contact information provided on the Tuleap.org security page.
References
- request #27173 XSS via the title of a document
- c947975
- https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=c947975a4f1ff7bbfd7d5cd24a2e16bf12bd96d4