{"id":"CVE-2018-7634","details":"An issue was discovered in Enalean Tuleap 9.17. Lack of CSRF attack mitigation while changing an e-mail address makes it possible to abuse the functionality by attackers. By making a CSRF attack, an attacker could make a victim change his registered e-mail address on the application, leading to account takeover.","modified":"2026-02-23T08:14:43.613397Z","published":"2018-03-01T23:29:00.607Z","references":[{"type":"ADVISORY","url":"https://mustafairan.wordpress.com/2018/03/05/tuleap-mail-change-csrf-vulnerability-leads-to-account-takeover/"},{"type":"ADVISORY","url":"https://tuleap.net/plugins/git/tuleap/tuleap/stable?p=tuleap%2Fstable.git&a=commit&h=d6701289ae55de900929ff0f66313fa9771a198d"},{"type":"ADVISORY","url":"https://tuleap.net/plugins/tracker/?aid=11217"},{"type":"ADVISORY","url":"https://twitter.com/Mustafaran/status/970745812887199744"},{"type":"REPORT","url":"https://tuleap.net/plugins/git/tuleap/tuleap/stable?p=tuleap%2Fstable.git&a=commit&h=d6701289ae55de900929ff0f66313fa9771a198d"},{"type":"FIX","url":"https://github.com/Enalean/tuleap/commit/0843c046eee54b16ec6a7753c575838212770189"},{"type":"FIX","url":"https://mustafairan.wordpress.com/2018/03/05/tuleap-mail-change-csrf-vulnerability-leads-to-account-takeover/"},{"type":"FIX","url":"https://tuleap.net/plugins/git/tuleap/tuleap/stable?p=tuleap%2Fstable.git&a=commit&h=d6701289ae55de900929ff0f66313fa9771a198d"},{"type":"FIX","url":"https://tuleap.net/plugins/tracker/?aid=11217"},{"type":"EVIDENCE","url":"https://mustafairan.wordpress.com/2018/03/05/tuleap-mail-change-csrf-vulnerability-leads-to-account-takeover/"},{"type":"EVIDENCE","url":"https://twitter.com/Mustafaran/status/970745812887199744"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/enalean/tuleap","events":[{"introduced":"0"},{"fixed":"0843c046eee54b16ec6a7753c575838212770189"}]}],"versions":["1839_conditions_on_dates_in_5_7_1","4.0.18","4.0.20","4.0.28","5.0.1","5.0.2","5.0.3","5.0.4","5.1.0","5.11","5.12","5.2","5.3","5.3.1","5.4","5.5","5.5.1","5.5.2","5.5.3","5.5.4","5.6","5.6.1","5.6.2","5.7","5.8","5.9","5.9.1","6.0","6.1","6.10","6.11","6.12","6.2","6.3","6.4","6.5","6.6","6.7","6.8","6.9","7.0","7.1","7.10","7.11","7.2","7.3","7.4","7.5","7.6","7.7","7.8","7.9","8.0","8.1","8.10","8.11","8.12","8.13","8.14","8.15","8.16","8.17","8.18","8.19","8.2","8.3","8.4","8.5","8.6","8.7","8.8","8.9","9.0","9.1","9.10","9.11","9.12","9.13","9.14","9.15","9.16","9.17","9.2","9.3","9.4","9.5","9.6","9.7","9.8","9.9"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-7634.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}