CVE-2025-64498

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-64498

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64498.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-64498

Aliases

GHSA-vxfh-h8p6-p5rg

Published

2025-12-08T22:36:26.283Z

Modified

2026-04-10T05:34:01.422381Z

Severity

4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L CVSS Calculator

Summary

Tuleap has a Cross-Site Request Forgery (CSRF) vulnerability

Details

Tuleap is an Open Source Suite for management of software development and collaboration. Tuleap Community Edition versions below 17.0.99.1762444754 and Tuleap Enterprise Edition versions prior to 17.0-2, 16.13-7 and 16.12-10 allow attackers trick victims into changing tracker general settings. This issue is fixed in version Tuleap Community Edition version 17.0.99.1762444754 and Tuleap Enterprise Edition versions 17.0-2, 16.13-7 and 16.12-10.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64498.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-352"
    ]
}

References

Affected packages

Git / github.com/enalean/tuleap

Affected ranges

Type: GIT
Repo: https://github.com/enalean/tuleap
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

993316dd6a291bb3937cb7a4571eaab0e7d55370

Database specific

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "16.12-10"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "17.0.99.1762444754"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "16.13"
            },
            {
                "fixed": "16.13-7"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "17.0"
            },
            {
                "fixed": "17.0-2"
            }
        ]
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64498.json"