प्लेटफ़ॉर्म
php
घटक
tuleap
में ठीक किया गया
17.0.100
17.0.1
16.13.1
CVE-2025-65962 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in Tuleap, a free and open-source suite for software development and collaboration. This flaw allows attackers to manipulate tracker fields within Tuleap, potentially leading to unauthorized modifications of data. The vulnerability impacts Tuleap Community Edition versions prior to 17.0.99.1763803709 and Tuleap Enterprise Edition versions prior to 17.0-4 and 16.13-9. A fix is available in Tuleap Community Edition version 17.0.99.1763803709 and Tuleap Enterprise Edition versions 17.0-4 and 16.13-9.
Successful exploitation of CVE-2025-65962 allows an attacker to forge requests on behalf of an authenticated user, enabling them to modify tracker fields within the Tuleap system. This could involve altering task assignments, changing issue priorities, or manipulating other critical data elements. The impact is directly proportional to the privileges of the user whose session is hijacked. An attacker could potentially gain unauthorized access to sensitive information or disrupt workflows by maliciously altering data. While the vulnerability is classified as CSRF, the potential for data manipulation within a collaborative development environment makes it a significant concern.
CVE-2025-65962 was publicly disclosed on December 8, 2025. There is no indication of active exploitation campaigns at this time. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 4.6 indicates a Medium severity, suggesting a moderate probability of exploitation if a suitable attack vector is discovered.
Organizations utilizing Tuleap Enterprise Edition in collaborative software development environments are at risk. Specifically, deployments with shared user accounts or those lacking robust access controls are more vulnerable. Legacy Tuleap installations running versions prior to 16.13-9 are particularly exposed.
• php: Examine Tuleap application logs for suspicious requests originating from unexpected origins. Look for POST requests to tracker field update endpoints with unusual referer headers.
grep -i 'referer: .*tuleap.*' /var/log/apache2/access.log• generic web: Check for unusual tracker field modifications in Tuleap. Monitor user activity for unexpected changes to task assignments or issue priorities. • generic web: Review Tuleap's Content Security Policy (CSP) configuration. Ensure it restricts resource loading to trusted origins to mitigate CSRF attacks.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.02% (5% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2025-65962 is to upgrade Tuleap to a patched version. Upgrade to either Tuleap Community Edition version 17.0.99.1763803709 or Tuleap Enterprise Edition versions 17.0-4 or 16.13-9. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as enforcing strict content security policies (CSP) to restrict the origins from which Tuleap can load resources. Additionally, review and strengthen user authentication practices, including multi-factor authentication (MFA), to reduce the risk of session hijacking. After upgrade, confirm the fix by attempting a CSRF attack on a tracker field and verifying that the request is rejected.
Tuleap कम्युनिटी एडिशन को संस्करण 17.0.99.1763803709 या उच्चतर में अपडेट करें। यदि आप Tuleap एंटरप्राइज एडिशन का उपयोग कर रहे हैं, तो संस्करण 17.0-4 या 16.13-9 या उच्चतर में अपडेट करें, जैसा कि उचित हो। यह ट्रैकर फ़ील्ड निर्भरताओं में CSRF भेद्यता को ठीक करता है।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-65962 is a CSRF vulnerability in Tuleap Enterprise Edition allowing attackers to modify tracker fields. It affects versions ≤ 16.13-9 and has a Medium severity (CVSS 4.6).
You are affected if you are running Tuleap Enterprise Edition versions prior to 17.0-4 or 16.13-9. Check your version and upgrade accordingly.
Upgrade to Tuleap Enterprise Edition version 17.0-4 or 16.13-9. Consider implementing CSP as a temporary workaround if immediate upgrade is not possible.
There is currently no evidence of active exploitation campaigns for CVE-2025-65962.
Refer to the official Tuleap security advisories on their website for detailed information and updates regarding CVE-2025-65962.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।