|ID||CVSS||Summary||Last (major) update||Published|
An issue was discovered in Enalean Tuleap before 10.5. Reset password links are not invalidated after a user changes its password.
|21-09-2018 - 03:29||21-09-2018 - 03:29|
A SQL injection vulnerability in the tracker functionality of Enalean Tuleap software engineering platform before 9.18 allows attackers to execute arbitrary SQL commands.
|12-03-2018 - 17:29||12-03-2018 - 17:29|
An issue was discovered in Enalean Tuleap 9.17. Lack of CSRF attack mitigation while changing an e-mail address makes it possible to abuse the functionality by attackers. By making a CSRF attack, an attacker could make a victim change his registered
|01-03-2018 - 18:29||01-03-2018 - 18:29|
An issue was discovered in Enalean Tuleap 9.6 and prior versions. The vulnerability exists because the User::getRecentElements() method is using the unserialize() function with a preference value that can be arbitrarily manipulated by malicious users
|30-10-2017 - 10:29||30-10-2017 - 10:29|
Tuleap before 9.7 allows command injection via the PhpWiki 1.3.10 SyntaxHighlighter plugin. This occurs in the Project Wiki component because the proc_open PHP function is used within PhpWiki before 1.5.5 with a syntax value in its first argument, an
|11-05-2017 - 10:22||29-04-2017 - 12:59|
XML External Entity vulnerability in Enalean Tuleap 7.2 and earlier allows remote authenticated users to read arbitrary files via a crafted xml document in a create action to plugins/tracker/.
|01-12-2015 - 14:03||31-10-2014 - 10:55|
SQL injection vulnerability in Enalean Tuleap before 126.96.36.199 allows remote authenticated users to execute arbitrary SQL commands via the lobal_txt parameter to plugins/docman.
|20-11-2015 - 11:26||04-11-2014 - 10:55|
Enalean Tuleap before 188.8.131.52 allows remote attackers to execute arbitrary commands via the User-Agent header, which is provided to the passthru PHP function.
|16-12-2014 - 21:46||28-11-2014 - 10:59|
project/register.php in Tuleap before 7.7, when sys_create_project_in_one_step is disabled, allows remote authenticated users to conduct PHP object injection attacks and execute arbitrary PHP code via the data parameter.
|16-12-2014 - 14:23||01-12-2014 - 20:59|