XSS in the card field of the agile dashboard apps
Package
Tuleap Community Edition
(tuleap)
Affected versions
< 14.10.99.4
Patched versions
14.10.99.4
Tuleap Enterprise Edition
(tuleap)
< 14.10-2
< 14.9-5
14.10-2
14.9-5
Content displayed in the "card fields" (visible in the kanban and PV2 apps) is not properly escaped.
Impact
A malicious user with the capability to create an artifact or to edit a field used as a card field could force victim to execute uncontrolled code.
Patches
The following versions contain the fix:
For more information
If you have any questions or comments about this advisory, reach out to us via the contact information provided on the Tuleap.org security page.
References