Tuleap is missing CSRF protections for its planning management API

4.6 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

Description

Tuleap is a free and open source suite for management of software development and collaboration. Tuleap Community Editon versions prior to 17.0.99.1762456922 and Tuleap Enterprise Edition versions prior to 17.0-2, 16.13-7 and 16.12-10 are vulnerable to CSRF attacks through planning management API. Attackers have access to create, edit or remove plans. This issue is fixed in Tuleap Community Edition version 17.0.99.1762456922 and Tuleap Enterprise Edtion versions 17.0-2, 16.13-7 and 16.12-10.

Basic Information

ID CVE-2025-64499

Source GitHub_M

Published Dec 8, 2025 at 22:44

Affected Product

Vendor Enalean

Product tuleap

Version Tuleap Community Edition < 17.0.99.1762456922

Affected Versions Enalean tuleap Tuleap Community Edition < 17.0.99.1762456922
Enalean tuleap Tuleap Enterprise Edition < 17.0-2
Enalean tuleap Tuleap Enterprise Edition < 16.13-7
Enalean tuleap Tuleap Enterprise Edition < 16.12-10

CWE Classification

CWE-352

References

{
    "lastseen": "",
    "description": "Tuleap is a free and open source suite for management of software development and collaboration. Tuleap Community Editon versions prior to 17.0.99.1762456922 and Tuleap Enterprise Edition versions prior to 17.0-2, 16.13-7 and 16.12-10 are vulnerable to CSRF attacks through planning management API. Attackers have access to create, edit or remove plans. This issue is fixed in Tuleap Community Edition version 17.0.99.1762456922 and Tuleap Enterprise Edtion versions 17.0-2, 16.13-7 and 16.12-10.",
    "published": "2025-12-08T22:44:29.555Z",
    "modified": "2025-12-08T22:44:29.555Z",
    "type": "cve",
    "title": "Tuleap is missing CSRF protections for its planning management API",
    "source": "GitHub_M",
    "references": "https://github.com/Enalean/tuleap/security/advisories/GHSA-9h47-jg7r-ww7x\nhttps://github.com/Enalean/tuleap/commit/1734a7bb2964042310ddc3f6dd7b4c82eee27526\nhttps://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=1734a7bb2964042310ddc3f6dd7b4c82eee27526\nhttps://tuleap.net/plugins/tracker/?aid=45592",
    "id": "CVE-2025-64499",
    "bulletinFamily": "",
    "cwe": [
        "CWE-352"
    ],
    "cvelist": null,
    "sourceData": "Enalean tuleap Tuleap Community Edition < 17.0.99.1762456922\nEnalean tuleap Tuleap Enterprise Edition  < 17.0-2\nEnalean tuleap Tuleap Enterprise Edition < 16.13-7\nEnalean tuleap Tuleap Enterprise Edition < 16.12-10",
    "sourceHref": "",
    "cvss": {
        "score": 4.6,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "tuleap",
    "version": "Tuleap Community Edition < 17.0.99.1762456922",
    "vendor": "Enalean",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Tuleap is missing CSRF protections for its planning management API_CVE-2025-64499