CVE-2025-30203
📋 TL;DR
This CVE describes a cross-site scripting (XSS) vulnerability in Tuleap's RSS widget functionality. Project administrators or users controlling RSS feeds can inject malicious scripts that execute in victims' browsers when viewing RSS content. This affects Tuleap Community and Enterprise Editions before the patched versions.
💻 Affected Systems
- Tuleap Community Edition
- Tuleap Enterprise Edition
📦 What is this software?
Tuleap by Enalean
Tuleap by Enalean
Tuleap by Enalean
⚠️ Risk & Real-World Impact
Worst Case
An attacker with project administrator privileges or control over an RSS feed could execute arbitrary JavaScript in victims' browsers, potentially stealing session cookies, performing actions as the victim, or redirecting to malicious sites.
Likely Case
Project administrators or users with RSS feed control could perform limited XSS attacks against other project members viewing RSS widgets, potentially compromising their accounts within the Tuleap instance.
If Mitigated
With proper input validation and output encoding, malicious scripts would be neutralized before reaching victims' browsers.
🎯 Exploit Status
Exploitation requires project administrator privileges or control over RSS feed content, limiting attack surface
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Tuleap Community Edition 16.5.99.1742562878, Tuleap Enterprise Edition 16.5-5 and 16.4-8
Vendor Advisory: https://github.com/Enalean/tuleap/security/advisories/GHSA-39gx-34fc-rx6r
Restart Required: Yes
Instructions:
1. Backup your Tuleap instance. 2. Update to patched version using your distribution's package manager. 3. Restart Tuleap services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable RSS widgets
allRemove or disable RSS widgets from all project dashboards to eliminate the attack vector
Restrict RSS feed sources
allOnly allow trusted, verified RSS feeds from internal sources
🧯 If You Can't Patch
- Remove RSS widgets from all project dashboards immediately
- Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
🔍 How to Verify
Check if Vulnerable:
Check Tuleap version via web interface admin panel or command line: /usr/share/tuleap/src/utils/php-launcher.sh /usr/share/tuleap/src/utils/display_tuleap_version.phpCheck Version:
/usr/share/tuleap/src/utils/php-launcher.sh /usr/share/tuleap/src/utils/display_tuleap_version.phpVerify Fix Applied:
Verify version is at least Tuleap Community Edition 16.5.99.1742562878 or Enterprise Edition 16.5-5/16.4-8📡 Detection & Monitoring
Log Indicators:
- Unusual RSS feed modifications
- Multiple failed XSS attempts in web logs
Network Indicators:
- Suspicious JavaScript payloads in RSS content requests
SIEM Query:
web_logs WHERE (url CONTAINS 'rss' OR url CONTAINS 'widget') AND (payload CONTAINS '<script>' OR payload CONTAINS 'javascript:')🔗 References
- https://github.com/Enalean/tuleap/commit/54cce3f5e883d16055cb0239e023f48cdf5eb25f
- https://github.com/Enalean/tuleap/security/advisories/GHSA-39gx-34fc-rx6r
- https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=54cce3f5e883d16055cb0239e023f48cdf5eb25f
- https://tuleap.net/plugins/tracker/?aid=42243
