CVE-2025-27099

Source
https://cve.org/CVERecord?id=CVE-2025-27099
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27099.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-27099
Aliases
  • GHSA-vqfj-2gqp-g89x
Published
2025-03-03T15:54:33.306Z
Modified
2026-04-10T05:24:12.145645Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:L CVSS Calculator
Summary
Tuleap allows XSS via the tracker names used in the semantic timeframe deletion message
Details

Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap allows cross-site scripting (XSS) via the tracker names used in the semantic timeframe deletion message. A tracker administrator with a semantic timeframe used by other trackers could use this vulnerability to force other tracker administrators to execute uncontrolled code. This vulnerability is fixed in Tuleap Community Edition 16.4.99.1740067916 and Tuleap Enterprise Edition 16.4-5 and 16.3-10.

Database specific
{
    "cwe_ids": [
        "CWE-79",
        "CWE-80"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/27xxx/CVE-2025-27099.json"
}
References

Affected packages

Git / github.com/enalean/tuleap

Affected ranges

Type
GIT
Repo
https://github.com/enalean/tuleap
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27099.json"
unresolved_ranges
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "16.3-10"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "16.4.99.1740067916"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "16.4"
            },
            {
                "fixed": "16.4-5"
            }
        ]
    }
]