CVE-2025-65962
BaseFortify
Publication date: 2025-12-09
Last updated on: 2025-12-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| enalean | tuleap | 17.0.99.1763803709 |
| enalean | tuleap | 17.0-4 |
| enalean | tuleap | 16.13-9 |
| enalean | tuleap | to 17.0.99.1763803709 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability is a missing CSRF (Cross-Site Request Forgery) protection in the tracker field dependencies of Tuleap software versions prior to certain fixed releases. This allows attackers to modify tracker fields without proper authorization.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can modify tracker fields in Tuleap, potentially leading to unauthorized changes in software development tracking data, which may affect project integrity and reliability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update Tuleap to Community Edition version 17.0.99.1763803709 or later, or Enterprise Edition versions 17.0-4 or 16.13-9 or later, where the issue is fixed.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking the version of Tuleap installed on your system. Versions prior to 17.0.99.1763803709 (Community Edition) and prior to 17.0-4 or 16.13-9 (Enterprise Edition) are vulnerable. You can detect the vulnerability by verifying the Tuleap version. Additionally, you can inspect if the tracker field dependencies management requests lack CSRF token validation. For example, you can monitor HTTP POST requests to the tracker dependencies management endpoints and check if they include a valid CSRF token parameter. There are no specific commands provided in the resources, but general approaches include: 1. Checking Tuleap version via Tuleap's UI or command line. 2. Using network monitoring tools (e.g., curl, tcpdump, or Wireshark) to capture POST requests to tracker dependencies endpoints and verify the presence or absence of CSRF tokens. 3. Reviewing the source code or deployed files to confirm if the patch (commit 26678c5b411042e68964b199bf88a44607550633) is applied, which adds CSRF token validation in Tracker_RulesManager.php. Example command to check Tuleap version (if CLI tool available): `tuleap --version` or check the version in the web interface. Example curl command to test for CSRF token presence might be crafted but is not explicitly provided in the resources. [1, 2, 3]