XSS on the success message of a kanban deletion
Package
Tuleap Community Edition
(tuleap)
Affected versions
< 14.11.99.82
Patched versions
14.11.99.82
Tuleap Enterprise Edition
(tuleap)
< 14.11-5
< 14.10-7
14.11-5
14.10-7
Content displayed in the "card fields" (visible in the kanban and PV2 apps) is not properly escaped.
Impact
An agile dashboard administrator deleting a kanban with a malicious label can be forced to execute uncontrolled code.
Patches
The following versions contain the fix:
For more information
If you have any questions or comments about this advisory, reach out to us via the contact information provided on the Tuleap.org security page.
References