{"id":"CVE-2023-35929","summary":"Tuleap Cross-site Scripting vulnerability in the card field of the agile dashboard apps","details":"Tuleap is a free and open source suite to improve management of software development and collaboration. Prior to version 14.10.99.4 of Tuleap Community Edition and prior to versions 14.10-2 and 14.9-5 of Tuleap Enterprise Edition, content displayed in the \"card fields\" (visible in the kanban and PV2 apps) is not properly escaped. A malicious user with the capability to create an artifact or to edit a field used as a card field could force victim to execute uncontrolled code. Tuleap Community Edition 14.10.99.4, Tuleap Enterprise Edition 14.10-2, and Tuleap Enterprise Edition 14.9-5 contain a fix.","aliases":["GHSA-xhjp-4rjf-q268"],"modified":"2026-04-10T05:00:39.575823Z","published":"2023-07-25T17:30:22.017Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-79"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/35xxx/CVE-2023-35929.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/35xxx/CVE-2023-35929.json"},{"type":"FIX","url":"https://github.com/Enalean/tuleap/commit/0b2945fbd260d37aa0aff2ca1c867d160f76188d"},{"type":"ADVISORY","url":"https://github.com/Enalean/tuleap/security/advisories/GHSA-xhjp-4rjf-q268"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-35929"},{"type":"WEB","url":"https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=0b2945fbd260d37aa0aff2ca1c867d160f76188d"},{"type":"WEB","url":"https://tuleap.net/plugins/tracker/?aid=32629"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/enalean/tuleap","events":[{"introduced":"0"},{"fixed":"0b2945fbd260d37aa0aff2ca1c867d160f76188d"}]},{"type":"GIT","repo":"https://github.com/enalean/tuleap","events":[{"introduced":"0"},{"fixed":"0b2945fbd260d37aa0aff2ca1c867d160f76188d"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-35929.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"14.9-5"}]},{"events":[{"introduced":"0"},{"fixed":"14.10.99.4"}]},{"events":[{"introduced":"14.10"},{"fixed":"14.10-2"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}