CVE-2024-52599

Tuleap is an open source suite to improve management of software developments and collaboration. In Tuleap Community Edition prior to version 16.1.99.50 and Tuleap Enterprise Edition prior to versions 16.1-4 and 16.0-7, a malicious user with the ability to create an artifact in a tracker with a Gantt chart could force a victim to execute uncontrolled code. Tuleap Community Edition 16.1.99.50, Tuleap Enterprise Edition 16.1-4, and Tuleap Enterprise Edition 16.0-7 contain a fix.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/Enalean/tuleap/commit/d3686ab152b6f64ff835e7dd3c99d97b36a9d4d5	Patch
https://github.com/Enalean/tuleap/security/advisories/GHSA-489c-fm2j-qjw7	Third Party Advisory Patch
https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=d3686ab152b6f64ff835e7dd3c99d97b36a9d4d5	Permissions Required
https://tuleap.net/plugins/tracker/?aid=40459	Third Party Advisory Issue Tracking Patch Exploit

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:enalean:tuleap:::::enterprise:::*
	cpe:2.3:a:enalean:tuleap:::::community:::*
	cpe:2.3:a:enalean:tuleap:::::enterprise:::*

History

No history.

Information

Published : 2024-12-09 19:15

Updated : 2025-08-22 16:19

NVD link : CVE-2024-52599

Mitre link : CVE-2024-52599

CVE.ORG link : CVE-2024-52599

JSON object : View

Products Affected

enalean

tuleap

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2024-52599", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2024-12-09T19:15:13.863", "references": [{"url": "https://github.com/Enalean/tuleap/commit/d3686ab152b6f64ff835e7dd3c99d97b36a9d4d5", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/Enalean/tuleap/security/advisories/GHSA-489c-fm2j-qjw7", "tags": ["Third Party Advisory", "Patch"], "source": "[email protected]"}, {"url": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=d3686ab152b6f64ff835e7dd3c99d97b36a9d4d5", "tags": ["Permissions Required"], "source": "[email protected]"}, {"url": "https://tuleap.net/plugins/tracker/?aid=40459", "tags": ["Third Party Advisory", "Issue Tracking", "Patch", "Exploit"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Tuleap is an open source suite to improve management of software developments and collaboration. In Tuleap Community Edition prior to version 16.1.99.50 and Tuleap Enterprise Edition prior to versions 16.1-4 and 16.0-7, a malicious user with the ability to create an artifact in a tracker with a Gantt chart could force a victim to execute uncontrolled code. Tuleap Community Edition 16.1.99.50, Tuleap Enterprise Edition 16.1-4, and Tuleap Enterprise Edition 16.0-7 contain a fix."}, {"lang": "es", "value": "Tuleap es una suite de c\u00f3digo abierto para mejorar la gesti\u00f3n de los desarrollos de software y la colaboraci\u00f3n. En Tuleap Community Edition anterior a la versi\u00f3n 16.1.99.50 y Tuleap Enterprise Edition anterior a las versiones 16.1-4 y 16.0-7, un usuario malintencionado con la capacidad de crear un artefacto en un rastreador con un diagrama de Gantt podr\u00eda obligar a una v\u00edctima a ejecutar c\u00f3digo no controlado. Tuleap Community Edition 16.1.99.50, Tuleap Enterprise Edition 16.1-4 y Tuleap Enterprise Edition 16.0-7 contienen una correcci\u00f3n."}], "lastModified": "2025-08-22T16:19:06.600", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:enalean:tuleap:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "F6A1C564-201D-43CA-BD24-E7DE7B2F8C2E", "versionEndExcluding": "16.0-7"}, {"criteria": "cpe:2.3:a:enalean:tuleap:*:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "D6B1E987-E529-41F7-AE4E-83EEA8C7240B", "versionEndExcluding": "16.1.99.50"}, {"criteria": "cpe:2.3:a:enalean:tuleap:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "0163CCD1-23B5-4295-A36C-5621C4CA5C3B", "versionEndExcluding": "16.1-4", "versionStartIncluding": "16.1"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}