CVE-2025-30203

Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap allows cross-site scripting (XSS) via the content of RSS feeds in the RSS widgets. A project administrator or someone with control over an used RSS feed could use this vulnerability to force victims to execute uncontrolled code. This vulnerability is fixed in Tuleap Community Edition 16.5.99.1742562878 and Tuleap Enterprise Edition 16.5-5 and 16.4-8.

CVSS v3 4.8 MEDIUM

4.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.7 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/Enalean/tuleap/commit/54cce3f5e883d16055cb0239e023f48cdf5eb25f	Patch
https://github.com/Enalean/tuleap/security/advisories/GHSA-39gx-34fc-rx6r	Third Party Advisory
https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=54cce3f5e883d16055cb0239e023f48cdf5eb25f	Broken Link
https://tuleap.net/plugins/tracker/?aid=42243	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:enalean:tuleap:::::enterprise:::*
	cpe:2.3:a:enalean:tuleap:::::community:::*
	cpe:2.3:a:enalean:tuleap:::::enterprise:::*

History

21 Aug 2025, 22:03

Type	Values Removed	Values Added
First Time		Enalean tuleap Enalean
CPE		cpe:2.3:a:enalean:tuleap:::::enterprise:::* cpe:2.3:a:enalean:tuleap:::::community:::*
Summary		(es) Tuleap es una suite de código abierto que mejora la gestión del desarrollo de software y la colaboración. Tuleap permite el uso de cross-site scripting (XSS) a través del contenido de las fuentes RSS en los widgets RSS. Un administrador de proyecto o alguien con control sobre una fuente RSS en uso podría aprovechar esta vulnerabilidad para obligar a las víctimas a ejecutar código no controlado. Esta vulnerabilidad está corregida en Tuleap Community Edition 16.5.99.1742562878 y Tuleap Enterprise Edition 16.5-5 y 16.4-8.
References	~~() https://github.com/Enalean/tuleap/commit/54cce3f5e883d16055cb0239e023f48cdf5eb25f -~~	() https://github.com/Enalean/tuleap/commit/54cce3f5e883d16055cb0239e023f48cdf5eb25f - Patch
References	~~() https://github.com/Enalean/tuleap/security/advisories/GHSA-39gx-34fc-rx6r -~~	() https://github.com/Enalean/tuleap/security/advisories/GHSA-39gx-34fc-rx6r - Third Party Advisory
References	~~() https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=54cce3f5e883d16055cb0239e023f48cdf5eb25f -~~	() https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=54cce3f5e883d16055cb0239e023f48cdf5eb25f - Broken Link
References	~~() https://tuleap.net/plugins/tracker/?aid=42243 -~~	() https://tuleap.net/plugins/tracker/?aid=42243 - Vendor Advisory

31 Mar 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-31 16:15

Updated : 2025-08-21 22:03

NVD link : CVE-2025-30203

Mitre link : CVE-2025-30203

CVE.ORG link : CVE-2025-30203

JSON object : View

Products Affected

enalean

tuleap

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-84

Improper Neutralization of Encoded URI Schemes in a Web Page

4.8 /10