CVE-2024-46980

Public Exploit
Tuleap vulnerable to XSS in the HTML mail content of the cross reference field

Description

Tuleap is a tool for end to end traceability of application and system developments. Prior to Tuleap Community Edition 15.13.99.37, Tuleap Enterprise Edition 15.13-3, and Tuleap Enterprise Edition 15.12-6, a site administrator could create an artifact link type with a forward label allowing them to execute uncontrolled code (or at least achieve content injection) in a mail client. Tuleap Community Edition 15.13.99.37, Tuleap Enterprise Edition 15.13-3, and Tuleap Enterprise Edition 15.12-6 fix this issue.

Category

4.8
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.06%
Third-Party Advisory github.com Third-Party Advisory tuleap.net
Affected: Enalean tuleap
Published at:
Updated at:

References

Link Tags
https://github.com/Enalean/tuleap/security/advisories/GHSA-9fc9-47h6-82jj third party advisory
https://github.com/Enalean/tuleap/commit/dd94a799982cd78ab06142008d745edf9e8fd494 patch
https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=dd94a799982cd78ab06142008d745edf9e8fd494 patch issue tracking
https://tuleap.net/plugins/tracker/?aid=39689 third party advisory exploit

Frequently Asked Questions

What is the severity of CVE-2024-46980?
CVE-2024-46980 has been scored as a medium severity vulnerability.
How to fix CVE-2024-46980?
To fix CVE-2024-46980, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-46980 being actively exploited in the wild?
It is possible that CVE-2024-46980 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-46980?
CVE-2024-46980 affects Enalean tuleap.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.