CVE-2023-23938 Vulnerability Details

  /     /     /  

CVE-2023-23938 Metadata Quick Info

CVE Published: 20/04/2023 | CVE Updated: 02/08/2024 | CVE Year: 2023
Source: GitHub_M | Vendor: Enalean | Product: tuleap
Status : PUBLISHED

---

CVE-2023-23938 Description

Tuleap is a Free & Source tool for end to end traceability of application and system developments. Affected versions are subject to a cross site scripting attack which can be injected in the name of a color of select box values of a tracker and then reflected in the tracker administration. Administrative privilege is required, but an attacker with tracker administration rights could use this vulnerability to force a victim to execute uncontrolled code in the context of their browser. This issue has been addressed in Tuleap Community Edition version 14.5.99.4. Users are advised to upgrade. There are no known workarounds for this issue.

Metrics

CVSS Version: 3.1 | Base Score: 5.9 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

l➤ Exploitability Metrics:
    Attack Vector (AV)* NETWORK
    Attack Complexity (AC)* LOW
    Privileges Required (PR)* HIGH
    User Interaction (UI)* REQUIRED
    Scope (S)* CHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* LOW
    Integrity Impact (I)* LOW
    Availability Impact (A)* LOW

Weakness Enumeration (CWE)

CWE-ID: CWE-79
CWE Name: CWE-79: Improper Neutralization of Input During Web Page Generation ( Cross-site Scripting )
Source: Enalean

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).