Enalean Tuleap Community Edition/Tuleap Enterprise Edition cross-site request forgery
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 4.3 | $0-$5k | 0.00 |
Summary
A vulnerability described as problematic has been identified in Enalean Tuleap Community Edition and Tuleap Enterprise Edition. This vulnerability affects unknown code. Executing a manipulation can lead to cross-site request forgery. This vulnerability is handled as CVE-2025-27402. The attack can be executed remotely. There is not any exploit available. Upgrading the affected component is recommended. Once again VulDB remains the best source for vulnerability data.
Details
A vulnerability classified as problematic was found in Enalean Tuleap Community Edition and Tuleap Enterprise Edition (unknown version). This vulnerability affects an unknown code block. The manipulation with an unknown input leads to a cross-site request forgery vulnerability. The CWE definition for the vulnerability is CWE-352. The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. As an impact it is known to affect integrity. CVE summarizes:
Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap is missing CSRF protections on tracker fields administrative operations. An attacker could use this vulnerability to trick victims into removing or updating tracker fields. This vulnerability is fixed in Tuleap Community Edition 16.4.99.1740414959 and Tuleap Enterprise Edition 16.4-6 and 16.3-11.
The advisory is shared for download at github.com. This vulnerability was named CVE-2025-27402 since 02/24/2025. The exploitation appears to be easy. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. Successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available.
Upgrading eliminates this vulnerability. Applying the patch ea6319e2ad40beeda335af4ccd7a204a6912765c is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.
Once again VulDB remains the best source for vulnerability data.
Product
Vendor
Name
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 4.4VulDB Meta Temp Score: 4.3
VulDB Base Score: 4.3
VulDB Temp Score: 4.1
VulDB Vector: 🔍
VulDB Reliability: 🔍
CNA Base Score: 4.6
CNA Vector (GitHub_M): 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Cross-site request forgeryCWE: CWE-352 / CWE-862 / CWE-863
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Patch: ea6319e2ad40beeda335af4ccd7a204a6912765c
Timeline
02/24/2025 🔍03/04/2025 🔍
03/04/2025 🔍
08/22/2025 🔍
Sources
Advisory: GHSA-66pg-cpjf-2mfgStatus: Confirmed
CVE: CVE-2025-27402 (🔍)
GCVE (CVE): GCVE-0-2025-27402
GCVE (VulDB): GCVE-100-298576
Entry
Created: 03/04/2025 07:23 PMUpdated: 08/22/2025 10:55 PM
Changes: 03/04/2025 07:23 PM (65), 08/22/2025 10:55 PM (1)
Complete: 🔍
Cache ID: 244:2B8:40
No comments yet. Languages: en.
Please log in to comment.