This Metasploit module exploits a Second-Order PHP Object Injection vulnerability in Tuleap <= 9.6 which could be abused by authenticated users to execute arbitrary PHP code with the permissions of the webserver. The vulnerability exists because of the User::getRecentElements() method is using the unserialize() function with data that can be arbitrarily manipulated by a user through the REST API interface. The exploit's POP chain abuses the __toString() method from the Mustache class to reach a call to eval() in the Transition_PostActionSubFactory::fetchPostActions() method.
b7ed3767d2e556f3c32b4d333b7a61ed02e66ba71ca064fedea6edb456ce4664
Tuleap versions 9.6 and below suffer from a second order PHP object injection vulnerability.
614615fd533a9914f7dae0fc5c046315ec0b6c9faa00541179463892e627fd24