{"id":"CVE-2025-64760","summary":"Tuleap has missing CSRF protections in its tracker trigger management system","details":"Tuleap is a free and open source suite for management of software development and collaboration. Versions of Tuleap Community Edition prior to 17.0.99.1763126988 and Tuleap Enterprise Edition prior to 17.0-3 and 16.13-8 have missing CSRF protections which allow attackers to create or remove tracker triggers. This issue is fixed in Tuleap Community Edition version 17.0.99.1763126988 and Tuleap Enterprise Edition versions 17.0-3 and 16.13-8.","aliases":["GHSA-f2xv-x3g6-4j9p"],"modified":"2026-04-10T05:34:01.383224Z","published":"2025-12-08T23:08:22.218Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64760.json","cwe_ids":["CWE-352"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64760.json"},{"type":"FIX","url":"https://github.com/Enalean/tuleap/commit/71d427b0f7ed8fa269a5ee6f7a557cf3dfc99cd4"},{"type":"ADVISORY","url":"https://github.com/Enalean/tuleap/security/advisories/GHSA-f2xv-x3g6-4j9p"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64760"},{"type":"WEB","url":"https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=71d427b0f7ed8fa269a5ee6f7a557cf3dfc99cd4"},{"type":"WEB","url":"https://tuleap.net/plugins/tracker/?aid=45618"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/enalean/tuleap","events":[{"introduced":"0"},{"fixed":"71d427b0f7ed8fa269a5ee6f7a557cf3dfc99cd4"}]}],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"16.13-8"}]},{"events":[{"introduced":"0"},{"fixed":"17.0.99.1763126988"}]},{"events":[{"introduced":"17.0"},{"fixed":"17.0-3"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64760.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L"}]}