High severity8.8NVD Advisory· Published Oct 30, 2017· Updated May 13, 2026

CVE-2017-7411

Description

An issue was discovered in Enalean Tuleap 9.6 and prior versions. The vulnerability exists because the User::getRecentElements() method is using the unserialize() function with a preference value that can be arbitrarily manipulated by malicious users through the REST API interface, and this can be exploited to inject arbitrary PHP objects into the application scope, allowing an attacker to perform a variety of attacks (including but not limited to Remote Code Execution).

Affected products

Enalean/Tuleap
cpe:2.3:a:enalean:tuleap:*:*:*:*:*:*:*:*
Range: <=9.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

tuleap.net/plugins/tracker/nvdExploitIssue TrackingVendor Advisory
karmainsecurity.com/KIS-2017-02nvdIssue TrackingThird Party Advisory
packetstormsecurity.com/files/144716/Tuleap-9.6-Second-Order-PHP-Object-Injection.htmlnvdIssue TrackingThird Party AdvisoryVDB Entry
seclists.org/fulldisclosure/2017/Oct/53nvdIssue TrackingMailing ListThird Party Advisory
www.openwall.com/lists/oss-security/2017/10/23/3nvdIssue TrackingMailing ListThird Party Advisory
www.exploit-db.com/exploits/43374/nvd

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.059
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000