CVE-2025-27099
📋 TL;DR
This CVE describes a stored cross-site scripting (XSS) vulnerability in Tuleap's tracker semantic timeframe deletion messages. A tracker administrator can inject malicious scripts that execute in the context of other tracker administrators' browsers when they view deletion messages. This affects Tuleap instances with semantic timeframes shared across multiple trackers.
💻 Affected Systems
- Tuleap Community Edition
- Tuleap Enterprise Edition
📦 What is this software?
Tuleap by Enalean
Tuleap by Enalean
Tuleap by Enalean
⚠️ Risk & Real-World Impact
Worst Case
A malicious tracker administrator could execute arbitrary JavaScript in other administrators' sessions, potentially stealing session cookies, performing actions as those users, or redirecting to malicious sites.
Likely Case
Attackers with tracker administrator privileges could perform limited session hijacking or defacement against other administrators within the same Tuleap instance.
If Mitigated
With proper input validation and output encoding, the malicious scripts would be rendered harmless as text rather than executable code.
🎯 Exploit Status
Exploitation requires tracker administrator privileges and knowledge of semantic timeframe usage patterns. The vulnerability is in the deletion message display mechanism.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Tuleap Community Edition 16.4.99.1740067916, Tuleap Enterprise Edition 16.4-5, Tuleap Enterprise Edition 16.3-10
Vendor Advisory: https://github.com/Enalean/tuleap/security/advisories/GHSA-vqfj-2gqp-g89x
Restart Required: Yes
Instructions:
1. Backup your Tuleap instance and database. 2. Update to the patched version using your distribution's package manager or Tuleap upgrade process. 3. Restart Tuleap services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict tracker administrator privileges
allLimit tracker administrator roles to trusted users only and implement principle of least privilege
Disable semantic timeframe sharing
allPrevent trackers from sharing semantic timeframes if not required for operations
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
- Monitor tracker administrator activities and audit semantic timeframe configurations
🔍 How to Verify
Check if Vulnerable:
Check Tuleap version and compare against patched versions. Review if semantic timeframes are shared between trackers.Check Version:
tuleap info | grep 'Tuleap version' or check Tuleap web interface administration panelVerify Fix Applied:
Verify Tuleap version is at or above patched versions. Test that tracker names in semantic timeframe deletion messages are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual tracker name modifications
- Multiple semantic timeframe deletion attempts
- Administrator session anomalies
Network Indicators:
- Unexpected JavaScript execution in tracker administration pages
SIEM Query:
source="tuleap" AND (event="tracker_update" OR event="semantic_timeframe_delete") AND user_role="tracker_admin"