Posted by Portcullis Advisories on Oct 28

Vulnerability title: Tuleap <= 7.4.99.5 Remote Command Execution in Enalean Tuleap
CVE: CVE-2014-7178
Vendor: Enalean
Product: Tuleap
Affected version: 7.4.99.5 and earlier
Fixed version: 7.5
Reported by: Jerzy Kramarz

Details:

Tuleap does not validate the syntax of the requests submitted to SVN handler pages in order to validate weather request
passed to passthru() function are introducing any extra parameters that would be executed in the…