Openproject
Monthly
OpenProject's Repositories module contains a stored cross-site scripting (XSS) vulnerability that occurs when displaying filenames from repository changesets. Attackers with repository push access can inject malicious HTML code via specially crafted filenames, which executes when project members view affected changesets. This affects OpenProject versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, with a CVSS score of 9.1 indicating critical severity.
OpenProject, a web-based project management platform, contains a critical SQL injection vulnerability in versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1. When custom fields are used in Cost Reports, insufficient input sanitization allows attackers with administrator privileges to execute arbitrary SQL commands. This vulnerability can be chained with a path traversal issue in the Repositories module to achieve remote code execution by injecting malicious Ruby code into the application. No current KEV listing or public POC is documented in available sources.
Unauthorized budget assignment deletion in OpenProject prior to 17.2.0 allows any authenticated user to remove work package budget associations due to insufficient authorization checks being performed after the deletion operation. This improper access control enables users without proper permissions to manipulate budget data, potentially disrupting project financial tracking and resource allocation. A patch is available in version 17.2.0 and later.
OpenProject prior to 17.2.0 fails to validate project membership when calculating labor costs in budget planning, allowing authenticated users to enumerate non-member employees' default billing rates. This exposure occurs both when editing budgets directly and through the cost preview calculation endpoint, potentially revealing sensitive salary information to unauthorized project users.
web-based project management software. versions up to 17.2.0 is affected by cross-site scripting (xss) (CVSS 6.5).
OpenProject versions prior to 17.2.0 allow authenticated users with BCF import permissions to read arbitrary files from the server through path traversal in crafted .bcf archive uploads. An attacker can manipulate the Snapshot field in markup.bcf to reference absolute or traversal paths (such as /etc/passwd), enabling unauthorized file disclosure within the application's read permissions. This vulnerability requires valid project member credentials and no patch is currently available.
Unauthorized wiki page creation in OpenProject prior to versions 17.0.5 and 17.1.2 allows authenticated attackers to bypass project access controls and create pages in projects they lack permission to access. The vulnerability stems from improper authentication validation on wiki page creation requests, enabling an attacker to modify project documentation without proper authorization. No patch is currently available for affected versions.
Insufficient permission validation in OpenProject prior to 17.0.2 allows users with the Manage Users permission to lock and unlock application administrators, a capability that should be restricted to administrators only. An authenticated attacker with user management privileges can exploit this to lock out admin accounts and potentially disrupt system administration capabilities. No patch is currently available for affected versions.
OpenProject has a CVSS 9.9 command injection vulnerability allowing authenticated users to execute OS commands on the project management server.
OpenProject versions prior to 17.0.2 fail to validate meeting section ownership during drag-and-drop operations, allowing authenticated users to inject agenda items into unrelated meetings. While attackers cannot access unauthorized meeting content, they can add arbitrary agenda items to other meetings to cause confusion or disrupt meeting organization. A patch is available in version 17.0.2.
Insufficient input validation in OpenProject's BlockNote editor extension allows authenticated users to craft malicious documents containing relative links that trigger arbitrary GET requests to any URL within the OpenProject instance when opened. An attacker with document creation privileges can exploit this to access sensitive information or perform unauthorized actions on behalf of other users. A patch is available in OpenProject 17.0.2 and op-blocknote-extensions 0.0.22.
Token decryption in OpenProject 17.0 allows authenticated attackers to intercept and decrypt 24-hour authentication tokens by exploiting insufficient validation of backend URLs in the real-time collaboration synchronization server. An attacker with valid credentials could redirect the synchronization server to a controlled endpoint, forcing it to send the decrypted token and enabling unauthorized access to document collaboration features. No patch is currently available for this high-severity vulnerability affecting authenticated users.
Arbitrary file write in OpenProject versions before 16.6.6 and 17.0.2 allows authenticated users with repository browse permissions to inject malicious git command options via a crafted rev parameter, enabling creation or overwriting of arbitrary files with the privileges of the OpenProject process. An attacker can exploit the `/projects/:project_id/repository/diff.diff` endpoint to write git show output to attacker-controlled file paths on the server. No patch is currently available for this high-severity vulnerability affecting the open-source project management platform.
OpenProject versions prior to 17.0.1 and 16.6.5 fail to properly validate permissions when displaying group membership information, allowing authenticated users with View Members permission in any project to enumerate all groups and identify their members across the entire system. This breaks the intended access control where group membership visibility should be restricted to users with appropriate permissions in projects where the group is active. The vulnerability requires authenticated access and has no available patch or workaround at this time.
OpenProject versions prior to 16.6.5 and 17.0.1 fail to properly validate session ownership in the session deletion endpoint, allowing authenticated users to forcibly log out arbitrary other users by iterating through sequential session IDs. An attacker with valid credentials can exploit the predictable session ID scheme via DELETE requests to /my/sessions/:id to terminate other users' sessions without authorization. No patch is currently available, and this vulnerability requires only valid authentication to exploit.
Stored XSS in OpenProject versions 16.3.0-16.6.4 allows authenticated users to inject arbitrary HTML/JavaScript through subproject names displayed in the Roadmap view, affecting all users who view the compromised roadmap. An attacker with project creation or modification privileges can craft a malicious project name that executes in victims' browsers when they access the Roadmap, potentially leading to session hijacking or credential theft. No patch is currently available; mitigation is only present in versions 16.6.5 and 17.0.0 through HTTP security headers.
OpenProject versions before 16.6.3 allow authenticated users with View Meetings permission to bypass access controls and view meeting details from projects they lack authorization to access. This permission-based access control flaw enables information disclosure across project boundaries for low-privileged users. A patch is available in version 16.6.3 and later.
OpenProject is an open-source, web-based project management software. [CVSS 5.3 MEDIUM]
OpenProject versions prior to 16.6.2 fail to implement rate-limiting on the unauthenticated password-change endpoint, allowing attackers to conduct brute-force attacks against known user accounts without triggering lockout mechanisms. An attacker can systematically guess passwords using common wordlists and achieve full account compromise, potentially escalating privileges depending on the victim's role within the application. A patch is available in version 16.6.2.
Arbitrary command execution in OpenProject versions 16.6.1 and below allows authenticated administrators to execute system commands by manipulating the sendmail binary path configuration and triggering a test email function. An admin-level attacker can leverage this to achieve full system compromise with high impact on confidentiality, integrity, and availability. No patch is currently available, and exploitation requires high privileges but no user interaction.
OpenProject (before 16.6.4) has a local file read vulnerability through SVG-based ImageMagick exploitation in the PDF export feature. Authenticated users can read server files by uploading malicious SVGs disguised as PNGs. Patch available.
OpenProject is open-source, web-based project management software. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
OpenProject's Repositories module contains a stored cross-site scripting (XSS) vulnerability that occurs when displaying filenames from repository changesets. Attackers with repository push access can inject malicious HTML code via specially crafted filenames, which executes when project members view affected changesets. This affects OpenProject versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, with a CVSS score of 9.1 indicating critical severity.
OpenProject, a web-based project management platform, contains a critical SQL injection vulnerability in versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1. When custom fields are used in Cost Reports, insufficient input sanitization allows attackers with administrator privileges to execute arbitrary SQL commands. This vulnerability can be chained with a path traversal issue in the Repositories module to achieve remote code execution by injecting malicious Ruby code into the application. No current KEV listing or public POC is documented in available sources.
Unauthorized budget assignment deletion in OpenProject prior to 17.2.0 allows any authenticated user to remove work package budget associations due to insufficient authorization checks being performed after the deletion operation. This improper access control enables users without proper permissions to manipulate budget data, potentially disrupting project financial tracking and resource allocation. A patch is available in version 17.2.0 and later.
OpenProject prior to 17.2.0 fails to validate project membership when calculating labor costs in budget planning, allowing authenticated users to enumerate non-member employees' default billing rates. This exposure occurs both when editing budgets directly and through the cost preview calculation endpoint, potentially revealing sensitive salary information to unauthorized project users.
web-based project management software. versions up to 17.2.0 is affected by cross-site scripting (xss) (CVSS 6.5).
OpenProject versions prior to 17.2.0 allow authenticated users with BCF import permissions to read arbitrary files from the server through path traversal in crafted .bcf archive uploads. An attacker can manipulate the Snapshot field in markup.bcf to reference absolute or traversal paths (such as /etc/passwd), enabling unauthorized file disclosure within the application's read permissions. This vulnerability requires valid project member credentials and no patch is currently available.
Unauthorized wiki page creation in OpenProject prior to versions 17.0.5 and 17.1.2 allows authenticated attackers to bypass project access controls and create pages in projects they lack permission to access. The vulnerability stems from improper authentication validation on wiki page creation requests, enabling an attacker to modify project documentation without proper authorization. No patch is currently available for affected versions.
Insufficient permission validation in OpenProject prior to 17.0.2 allows users with the Manage Users permission to lock and unlock application administrators, a capability that should be restricted to administrators only. An authenticated attacker with user management privileges can exploit this to lock out admin accounts and potentially disrupt system administration capabilities. No patch is currently available for affected versions.
OpenProject has a CVSS 9.9 command injection vulnerability allowing authenticated users to execute OS commands on the project management server.
OpenProject versions prior to 17.0.2 fail to validate meeting section ownership during drag-and-drop operations, allowing authenticated users to inject agenda items into unrelated meetings. While attackers cannot access unauthorized meeting content, they can add arbitrary agenda items to other meetings to cause confusion or disrupt meeting organization. A patch is available in version 17.0.2.
Insufficient input validation in OpenProject's BlockNote editor extension allows authenticated users to craft malicious documents containing relative links that trigger arbitrary GET requests to any URL within the OpenProject instance when opened. An attacker with document creation privileges can exploit this to access sensitive information or perform unauthorized actions on behalf of other users. A patch is available in OpenProject 17.0.2 and op-blocknote-extensions 0.0.22.
Token decryption in OpenProject 17.0 allows authenticated attackers to intercept and decrypt 24-hour authentication tokens by exploiting insufficient validation of backend URLs in the real-time collaboration synchronization server. An attacker with valid credentials could redirect the synchronization server to a controlled endpoint, forcing it to send the decrypted token and enabling unauthorized access to document collaboration features. No patch is currently available for this high-severity vulnerability affecting authenticated users.
Arbitrary file write in OpenProject versions before 16.6.6 and 17.0.2 allows authenticated users with repository browse permissions to inject malicious git command options via a crafted rev parameter, enabling creation or overwriting of arbitrary files with the privileges of the OpenProject process. An attacker can exploit the `/projects/:project_id/repository/diff.diff` endpoint to write git show output to attacker-controlled file paths on the server. No patch is currently available for this high-severity vulnerability affecting the open-source project management platform.
OpenProject versions prior to 17.0.1 and 16.6.5 fail to properly validate permissions when displaying group membership information, allowing authenticated users with View Members permission in any project to enumerate all groups and identify their members across the entire system. This breaks the intended access control where group membership visibility should be restricted to users with appropriate permissions in projects where the group is active. The vulnerability requires authenticated access and has no available patch or workaround at this time.
OpenProject versions prior to 16.6.5 and 17.0.1 fail to properly validate session ownership in the session deletion endpoint, allowing authenticated users to forcibly log out arbitrary other users by iterating through sequential session IDs. An attacker with valid credentials can exploit the predictable session ID scheme via DELETE requests to /my/sessions/:id to terminate other users' sessions without authorization. No patch is currently available, and this vulnerability requires only valid authentication to exploit.
Stored XSS in OpenProject versions 16.3.0-16.6.4 allows authenticated users to inject arbitrary HTML/JavaScript through subproject names displayed in the Roadmap view, affecting all users who view the compromised roadmap. An attacker with project creation or modification privileges can craft a malicious project name that executes in victims' browsers when they access the Roadmap, potentially leading to session hijacking or credential theft. No patch is currently available; mitigation is only present in versions 16.6.5 and 17.0.0 through HTTP security headers.
OpenProject versions before 16.6.3 allow authenticated users with View Meetings permission to bypass access controls and view meeting details from projects they lack authorization to access. This permission-based access control flaw enables information disclosure across project boundaries for low-privileged users. A patch is available in version 16.6.3 and later.
OpenProject is an open-source, web-based project management software. [CVSS 5.3 MEDIUM]
OpenProject versions prior to 16.6.2 fail to implement rate-limiting on the unauthenticated password-change endpoint, allowing attackers to conduct brute-force attacks against known user accounts without triggering lockout mechanisms. An attacker can systematically guess passwords using common wordlists and achieve full account compromise, potentially escalating privileges depending on the victim's role within the application. A patch is available in version 16.6.2.
Arbitrary command execution in OpenProject versions 16.6.1 and below allows authenticated administrators to execute system commands by manipulating the sendmail binary path configuration and triggering a test email function. An admin-level attacker can leverage this to achieve full system compromise with high impact on confidentiality, integrity, and availability. No patch is currently available, and exploitation requires high privileges but no user interaction.
OpenProject (before 16.6.4) has a local file read vulnerability through SVG-based ImageMagick exploitation in the PDF export feature. Authenticated users can read server files by uploading malicious SVGs disguised as PNGs. Patch available.
OpenProject is open-source, web-based project management software. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.