Enalean Tuleap vulnerabilities
71 known vulnerabilities affecting enalean/tuleap.
Total CVEs
71
CISA KEV
0
Public exploits
7
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH13MEDIUM55
Vulnerabilities
Page 1 of 4
CVE-2017-7411P2HIGHCVSS 8.8PoC≤ 9.62017-10-30
CVE-2017-7411 [HIGH] CWE-94 CVE-2017-7411: An issue was discovered in Enalean Tuleap 9.6 and prior versions. The vulnerability exists because t
An issue was discovered in Enalean Tuleap 9.6 and prior versions. The vulnerability exists because the User::getRecentElements() method is using the unserialize() function with a preference value that can be arbitrarily manipulated by malicious users through the REST API interface, and this can be exploited to inject arbitrary PHP objects into the applic
nvd
CVE-2017-7981P2HIGHCVSS 8.8PoCfixed in 9.72017-04-29
CVE-2017-7981 [HIGH] CWE-78 CVE-2017-7981: Tuleap before 9.7 allows command injection via the PhpWiki 1.3.10 SyntaxHighlighter plugin. This occ
Tuleap before 9.7 allows command injection via the PhpWiki 1.3.10 SyntaxHighlighter plugin. This occurs in the Project Wiki component because the proc_open PHP function is used within PhpWiki before 1.5.5 with a syntax value in its first argument, and an authenticated Tuleap user can control this value, even with shell metacharacters, as demonstrated by
nvd
CVE-2014-7178P2CRITICALCVSS 9.3PoC≤ 7.5.99.52014-11-28
CVE-2014-7178 [CRITICAL] CWE-20 CVE-2014-7178: Enalean Tuleap before 7.5.99.6 allows remote attackers to execute arbitrary commands via the User-Ag
Enalean Tuleap before 7.5.99.6 allows remote attackers to execute arbitrary commands via the User-Agent header, which is provided to the passthru PHP function.
nvd
CVE-2018-7538P2CRITICALCVSS 9.8PoCfixed in 9.182018-03-12
CVE-2018-7538 [CRITICAL] CWE-89 CVE-2018-7538: A SQL injection vulnerability in the tracker functionality of Enalean Tuleap software engineering pl
A SQL injection vulnerability in the tracker functionality of Enalean Tuleap software engineering platform before 9.18 allows attackers to execute arbitrary SQL commands.
nvd
CVE-2014-8791P3MEDIUMCVSS 6.0PoCv7.62014-12-02
CVE-2014-8791 [MEDIUM] CWE-94 CVE-2014-8791: project/register.php in Tuleap before 7.7, when sys_create_project_in_one_step is disabled, allows r
project/register.php in Tuleap before 7.7, when sys_create_project_in_one_step is disabled, allows remote authenticated users to conduct PHP object injection attacks and execute arbitrary PHP code via the data parameter.
nvd
CVE-2014-7176P3MEDIUMCVSS 6.5PoC≤ 7.52014-11-04
CVE-2014-7176 [MEDIUM] CWE-89 CVE-2014-7176: SQL injection vulnerability in Enalean Tuleap before 7.5.99.4 allows remote authenticated users to e
SQL injection vulnerability in Enalean Tuleap before 7.5.99.4 allows remote authenticated users to execute arbitrary SQL commands via the lobal_txt parameter to plugins/docman.
nvd
CVE-2021-41148P3HIGHCVSS 8.8fixed in 11.16.99.173≥ 11.15-1, < 11.15-8+3 more2021-10-15
CVE-2021-41148 [HIGH] CWE-89 CVE-2021-41148: Tuleap Open ALM is a libre and open source tool for end to end traceability of application and syste
Tuleap Open ALM is a libre and open source tool for end to end traceability of application and system developments. Prior to version 11.16.99.173 of Community Edition and versions 11.16-6 and 11.15-8 of Enterprise Edition, an attacker with the ability to add one the CI widget to its personal dashboard could execute arbitrary SQL queries. Tuleap Communi
nvd
CVE-2021-41154P3HIGHCVSS 8.8fixed in 11.17.99.144≥ 11.16-1, < 11.16-7+3 more2021-10-18
CVE-2021-41154 [HIGH] CWE-89 CVE-2021-41154: Tuleap is a Free & Open Source Suite to improve management of software developments and collaboratio
Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In affected versions an attacker with read access to a "SVN core" repository could execute arbitrary SQL queries. The following versions contain the fix: Tuleap Community Edition 11.17.99.144, Tuleap Enterprise Edition 11.17-5, Tuleap Enterprise Editi
nvd
CVE-2021-43806P3HIGHCVSS 8.8fixed in 13.2.99.155≥ 13.1-1, < 13.1-7+3 more2021-12-15
CVE-2021-43806 [HIGH] CWE-89 CVE-2021-43806: Tuleap is a Libre and Open Source tool for end to end traceability of application and system develop
Tuleap is a Libre and Open Source tool for end to end traceability of application and system developments. In affected versions Tuleap does not sanitize properly user settings when constructing the SQL query to browse and search commits in the CVS repositories. A authenticated malicious user with read access to a CVS repository could execute arbitrary
nvd
CVE-2021-41155P3HIGHCVSS 8.8fixed in 11.17.99.146≥ 11.16-1, < 11.16-7+3 more2021-10-18
CVE-2021-41155 [HIGH] CWE-89 CVE-2021-41155: Tuleap is a Free & Open Source Suite to improve management of software developments and collaboratio
Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In affected versions Tuleap does not sanitize properly user inputs when constructing the SQL query to browse and search revisions in the CVS repositories. The following versions contain the fix: Tuleap Community Edition 11.17.99.146, Tuleap Enterprise
nvd
CVE-2014-7177P4MEDIUMCVSS 4.0PoC≤ 7.22014-10-31
CVE-2014-7177 [MEDIUM] CVE-2014-7177: XML External Entity vulnerability in Enalean Tuleap 7.2 and earlier allows remote authenticated user
XML External Entity vulnerability in Enalean Tuleap 7.2 and earlier allows remote authenticated users to read arbitrary files via a crafted xml document in a create action to plugins/tracker/.
nvd
CVE-2018-17298P3CRITICALCVSS 9.8fixed in 10.52018-09-21
CVE-2018-17298 [CRITICAL] CWE-640 CVE-2018-17298: An issue was discovered in Enalean Tuleap before 10.5. Reset password links are not invalidated afte
An issue was discovered in Enalean Tuleap before 10.5. Reset password links are not invalidated after a user changes its password.
nvd
CVE-2021-41147P3HIGHCVSS 7.2fixed in 11.16.99.173≥ 11.15-1, < 11.15-8+3 more2021-10-15
CVE-2021-41147 [HIGH] CWE-89 CVE-2021-41147: Tuleap Open ALM is a libre and open source tool for end to end traceability of application and syste
Tuleap Open ALM is a libre and open source tool for end to end traceability of application and system developments. Prior to version 11.16.99.173 of Community Edition and versions 11.16-6 and 11.15-8 of Enterprise Edition, an attacker with admin rights in one agile dashboard service can execute arbitrary SQL queries. Tuleap Community Edition 11.16.99.1
nvd
CVE-2022-31058P3HIGHCVSS 7.2fixed in 13.9.99.111≥ 13.8.0, < 13.8.6+2 more2022-06-29
CVE-2022-31058 [HIGH] CWE-89 CVE-2022-31058: Tuleap is a Free & Open Source Suite to improve management of software developments and collaboratio
Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In versions prior to 13.9.99.95 Tuleap does not sanitize properly user inputs when constructing the SQL query to retrieve data for the tracker reports. An attacker with the capability to create a new tracker can execute arbitrary SQL queries. Users ar
nvd
CVE-2023-35938P3HIGHCVSS 7.2fixed in 14.9.99.63fixed in 14.10-12023-06-29
CVE-2023-35938 [HIGH] CWE-281 CVE-2023-35938: Tuleap is a Free & Open Source Suite to improve management of software developments and collaborati
Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. When switching from a project visibility that allows restricted users to `Private without restricted`, restricted users that are project administrators keep this access right. Restricted users that were project administrators before the visibility swi
nvd
CVE-2021-41276P3HIGHCVSS 7.2fixed in 13.2.99.31≥ 13.1-1, < 13.1-5+4 more2021-12-15
CVE-2021-41276 [HIGH] CWE-74 CVE-2021-41276: Tuleap is a Libre and Open Source tool for end to end traceability of application and system develop
Tuleap is a Libre and Open Source tool for end to end traceability of application and system developments. In affected versions Tuleap does not sanitize properly the search filter built from the ldap_id attribute of a user during the daily synchronization. A malicious user could force accounts to be suspended or take over another account by forcing the
nvd
CVE-2021-43782P3HIGHCVSS 7.2fixed in 13.2.99.83≥ 13.1-1, < 13.1-6+1 more2021-12-15
CVE-2021-43782 [HIGH] CVE-2021-43782: Tuleap is a Libre and Open Source tool for end to end traceability of application and system develop
Tuleap is a Libre and Open Source tool for end to end traceability of application and system developments. This is a follow up to GHSA-887w-pv2r-x8pm/CVE-2021-41276, the initial fix was incomplete. Tuleap does not sanitize properly the search filter built from the ldap_id attribute of a user during the daily synchronization. A malicious user could force accou
nvd
CVE-2025-64497P3MEDIUMCVSS 6.5fixed in 16.12-10fixed in 17.0.99.1762431347+6 more2025-12-08
CVE-2025-64497 [MEDIUM] CWE-639 CVE-2025-64497: Tuleap is an Open Source Suite for management of software development and collaboration. Versions be
Tuleap is an Open Source Suite for management of software development and collaboration. Versions below 17.0.99.1762431347 of Tuleap Community Edition and Tuleap Enterprise Edition below 17.0-2, 16.13-7 and 16.12-10 allow attackers to access file release system information in projects they do not have access to. This issue is fixed in version 17.0.9
nvd
CVE-2024-30246P3HIGHCVSS 7.1≥ 14.11.99.34 , < 15.7.99.6≥ 14.12-1, < 14.12-6+9 more2024-03-29
CVE-2024-30246 [HIGH] CWE-440 CVE-2024-30246: Tuleap is an Open Source Suite to improve management of software developments and collaboration. A m
Tuleap is an Open Source Suite to improve management of software developments and collaboration. A malicious user could exploit this issue on purpose to delete information on the instance or possibly gain access to restricted artifacts. It is however not possible to control exactly which information is deleted. Information from theDate, File, Float, I
nvd
CVE-2024-25130P3MEDIUMCVSS 6.5fixed in 15.4-7fixed in 15.5.99.76+2 more2024-02-22
CVE-2024-25130 [MEDIUM] CWE-200 CVE-2024-25130: Tuleap is an open source suite to improve management of software developments and collaboration. Pri
Tuleap is an open source suite to improve management of software developments and collaboration. Prior to version 15.5.99.76 of Tuleap Community Edition and prior to versions 15.5-4 and 15.4-7 of Tuleap Enterprise Edition, users with a read access to a tracker where the mass update feature is used might get access to restricted information. Tuleap C
nvd
1 / 4Next →