{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-64499", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-11-05T19:12:25.103Z", "datePublished": "2025-12-08T22:44:29.555Z", "dateUpdated": "2025-12-09T16:04:34.393Z"}, "containers": {"cna": {"title": "Tuleap is missing CSRF protections for its planning management API", "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/Enalean/tuleap/security/advisories/GHSA-9h47-jg7r-ww7x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Enalean/tuleap/security/advisories/GHSA-9h47-jg7r-ww7x"}, {"name": "https://github.com/Enalean/tuleap/commit/1734a7bb2964042310ddc3f6dd7b4c82eee27526", "tags": ["x_refsource_MISC"], "url": "https://github.com/Enalean/tuleap/commit/1734a7bb2964042310ddc3f6dd7b4c82eee27526"}, {"name": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=1734a7bb2964042310ddc3f6dd7b4c82eee27526", "tags": ["x_refsource_MISC"], "url": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=1734a7bb2964042310ddc3f6dd7b4c82eee27526"}, {"name": "https://tuleap.net/plugins/tracker/?aid=45592", "tags": ["x_refsource_MISC"], "url": "https://tuleap.net/plugins/tracker/?aid=45592"}], "affected": [{"vendor": "Enalean", "product": "tuleap", "versions": [{"version": "Tuleap Community Edition < 17.0.99.1762456922", "status": "affected"}, {"version": "Tuleap Enterprise Edition < 17.0-2", "status": "affected"}, {"version": "Tuleap Enterprise Edition < 16.13-7", "status": "affected"}, {"version": "Tuleap Enterprise Edition < 16.12-10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-12-08T22:44:29.555Z"}, "descriptions": [{"lang": "en", "value": "Tuleap is a free and open source suite for management of software development and collaboration. Tuleap Community Editon versions prior to 17.0.99.1762456922 and Tuleap Enterprise Edition versions prior to 17.0-2, 16.13-7 and 16.12-10 are vulnerable to CSRF attacks through planning management API. Attackers have access to create, edit or remove plans. This issue is fixed in Tuleap Community Edition version 17.0.99.1762456922 and Tuleap Enterprise Edtion versions 17.0-2, 16.13-7 and 16.12-10."}], "source": {"advisory": "GHSA-9h47-jg7r-ww7x", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-09T14:19:21.955484Z", "id": "CVE-2025-64499", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-09T16:04:34.393Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-64499", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-09T14:19:21.955484Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-09T14:19:25.934Z"}}], "cna": {"title": "Tuleap is missing CSRF protections for its planning management API", "source": {"advisory": "GHSA-9h47-jg7r-ww7x", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Enalean", "product": "tuleap", "versions": [{"status": "affected", "version": "Tuleap Community Edition < 17.0.99.1762456922"}, {"status": "affected", "version": "Tuleap Enterprise Edition < 17.0-2"}, {"status": "affected", "version": "Tuleap Enterprise Edition < 16.13-7"}, {"status": "affected", "version": "Tuleap Enterprise Edition < 16.12-10"}]}], "references": [{"url": "https://github.com/Enalean/tuleap/security/advisories/GHSA-9h47-jg7r-ww7x", "name": "https://github.com/Enalean/tuleap/security/advisories/GHSA-9h47-jg7r-ww7x", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Enalean/tuleap/commit/1734a7bb2964042310ddc3f6dd7b4c82eee27526", "name": "https://github.com/Enalean/tuleap/commit/1734a7bb2964042310ddc3f6dd7b4c82eee27526", "tags": ["x_refsource_MISC"]}, {"url": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=1734a7bb2964042310ddc3f6dd7b4c82eee27526", "name": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=1734a7bb2964042310ddc3f6dd7b4c82eee27526", "tags": ["x_refsource_MISC"]}, {"url": "https://tuleap.net/plugins/tracker/?aid=45592", "name": "https://tuleap.net/plugins/tracker/?aid=45592", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Tuleap is a free and open source suite for management of software development and collaboration. Tuleap Community Editon versions prior to 17.0.99.1762456922 and Tuleap Enterprise Edition versions prior to 17.0-2, 16.13-7 and 16.12-10 are vulnerable to CSRF attacks through planning management API. Attackers have access to create, edit or remove plans. This issue is fixed in Tuleap Community Edition version 17.0.99.1762456922 and Tuleap Enterprise Edtion versions 17.0-2, 16.13-7 and 16.12-10."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-12-08T22:44:29.555Z"}}}, "cveMetadata": {"cveId": "CVE-2025-64499", "state": "PUBLISHED", "dateUpdated": "2025-12-09T16:04:34.393Z", "dateReserved": "2025-11-05T19:12:25.103Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-12-08T22:44:29.555Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:enalean:tuleap:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "286870BF-3315-4B78-AC67-97EB2D5F34ED", "versionEndExcluding": "16.12-10", "vulnerable": true}, {"criteria": "cpe:2.3:a:enalean:tuleap:*:*:*:*:community:*:*:*", "matchCriteriaId": "8A6B5D51-B4FC-425D-AC04-211E1B0E8A50", "versionEndExcluding": "17.0.99.1762456922", "vulnerable": true}, {"criteria": "cpe:2.3:a:enalean:tuleap:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "CBD9092A-8E4A-43EF-B9B8-D8BDA9D30430", "versionEndExcluding": "16.13-7", "versionStartIncluding": "16.13", "vulnerable": true}, {"criteria": "cpe:2.3:a:enalean:tuleap:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "F96A9306-179A-48BD-A2D9-CB081E9747B8", "versionEndExcluding": "17.0-2", "versionStartIncluding": "17.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Tuleap is a free and open source suite for management of software development and collaboration. Tuleap Community Editon versions prior to 17.0.99.1762456922 and Tuleap Enterprise Edition versions prior to 17.0-2, 16.13-7 and 16.12-10 are vulnerable to CSRF attacks through planning management API. Attackers have access to create, edit or remove plans. This issue is fixed in Tuleap Community Edition version 17.0.99.1762456922 and Tuleap Enterprise Edtion versions 17.0-2, 16.13-7 and 16.12-10."}], "id": "CVE-2025-64499", "lastModified": "2025-12-10T21:03:51.880", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-12-08T23:15:48.330", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/Enalean/tuleap/commit/1734a7bb2964042310ddc3f6dd7b4c82eee27526"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/Enalean/tuleap/security/advisories/GHSA-9h47-jg7r-ww7x"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Broken Link"], "url": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=1734a7bb2964042310ddc3f6dd7b4c82eee27526"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://tuleap.net/plugins/tracker/?aid=45592"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"created": "2025-12-09T10:04:46.219956+00:00", "updated": "2025-12-09T10:04:46.219984+00:00", "vendors": ["enalean", "enalean$PRODUCT$tuleap"]}