Tuleap is a free and open source suite for management of software development and collaboration. Versions of Tuleap Community Edition prior to 17.0.99.1763126988 and Tuleap Enterprise Edition prior to 17.0-3 and 16.13-8 have missing CSRF protections which allow attackers to create or remove tracker triggers. This issue is fixed in Tuleap Community Edition version 17.0.99.1763126988 and Tuleap Enterprise Edition versions 17.0-3 and 16.13-8.
References
| Link | Resource |
|---|---|
| https://github.com/Enalean/tuleap/commit/71d427b0f7ed8fa269a5ee6f7a557cf3dfc99cd4 | Patch |
| https://github.com/Enalean/tuleap/security/advisories/GHSA-f2xv-x3g6-4j9p | Vendor Advisory |
| https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=71d427b0f7ed8fa269a5ee6f7a557cf3dfc99cd4 | Patch Broken Link |
| https://tuleap.net/plugins/tracker/?aid=45618 | Issue Tracking Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
10 Dec 2025, 21:01
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:enalean:tuleap:*:*:*:*:enterprise:*:*:* cpe:2.3:a:enalean:tuleap:*:*:*:*:community:*:*:* |
|
| References | () https://github.com/Enalean/tuleap/commit/71d427b0f7ed8fa269a5ee6f7a557cf3dfc99cd4 - Patch | |
| References | () https://github.com/Enalean/tuleap/security/advisories/GHSA-f2xv-x3g6-4j9p - Vendor Advisory | |
| References | () https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=71d427b0f7ed8fa269a5ee6f7a557cf3dfc99cd4 - Patch, Broken Link | |
| References | () https://tuleap.net/plugins/tracker/?aid=45618 - Issue Tracking, Vendor Advisory | |
| First Time |
Enalean
Enalean tuleap |
08 Dec 2025, 23:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-12-08 23:15
Updated : 2025-12-10 21:01
NVD link : CVE-2025-64760
Mitre link : CVE-2025-64760
CVE.ORG link : CVE-2025-64760
JSON object : View
Products Affected
enalean
- tuleap
CWE
CWE-352
Cross-Site Request Forgery (CSRF)