Search criteria
27 vulnerabilities found for openproject by openproject
FKIE_CVE-2025-24892
Vulnerability from fkie_nvd - Published: 2025-02-10 16:15 - Updated: 2025-08-27 02:09
Severity ?
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
OpenProject is open-source, web-based project management software. In versions prior to 15.2.1, the application fails to properly sanitize user input before displaying it in the Group Management section. Groups created with HTML script tags are not properly escaped before rendering them in a project. The issue has been resolved in OpenProject version 15.2.1. Those who are unable to upgrade may apply the patch manually.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| openproject | openproject | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FFB535C5-5B73-4EBF-A371-D0745DDE0614",
"versionEndExcluding": "15.2.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenProject is open-source, web-based project management software. In versions prior to 15.2.1, the application fails to properly sanitize user input before displaying it in the Group Management section. Groups created with HTML script tags are not properly escaped before rendering them in a project. The issue has been resolved in OpenProject version 15.2.1. Those who are unable to upgrade may apply the patch manually."
},
{
"lang": "es",
"value": "OpenProject es un software de gesti\u00f3n de proyectos basado en la web y de c\u00f3digo abierto. En versiones anteriores a la 15.2.1, la aplicaci\u00f3n no puede depurar correctamente la entrada del usuario antes de mostrarla en la secci\u00f3n Gesti\u00f3n de grupos. Los grupos creados con etiquetas de script HTML no se escapan correctamente antes de mostrarlos en un proyecto. El problema se ha resuelto en la versi\u00f3n 15.2.1 de OpenProject. Aquellos que no puedan actualizar pueden aplicar el parche manualmente."
}
],
"id": "CVE-2025-24892",
"lastModified": "2025-08-27T02:09:35.983",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-02-10T16:15:39.310",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/opf/openproject/pull/17783"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/opf/openproject/security/advisories/GHSA-mg4q-ghvh-cm2j"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://patch-diff.githubusercontent.com/raw/opf/openproject/pull/17783.patch"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://www.openproject.org/docs/release-notes/12-5-1"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-41801
Vulnerability from fkie_nvd - Published: 2024-07-25 17:15 - Updated: 2024-11-21 09:33
Severity ?
4.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
OpenProject is open source project management software. Prior to version 14.3.0, using a forged HOST header in the default configuration of packaged installations and using the "Login required" setting, an attacker could redirect to a remote host to initiate a phishing attack against an OpenProject user's account. This vulnerability affects default packaged installation of OpenProject without any additional configuration or modules on Apache (such as mod_security, manually setting a host name, having a fallthrough VirtualHost). It might also affect other installations that did not take care to fix the HOST/X-Forwarded-Host headers. Version 14.3.0 includes stronger protections for the hostname from within the application using the HostAuthorization middleware of Rails to reject any requests with a host name that does not match the configured one. Also, all generated links by the application are now ensured to use the built-in hostname. Users who aren't able to upgrade immediately may use mod_security for Apache2 or manually fix the Host and X-Forwarded-Host headers in their proxying application before reaching the application server of OpenProject. Alternatively, they can manually apply the patch to opt-in to host header protections in previous versions of OpenProject.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| openproject | openproject | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B8DD5240-5B99-4F0D-8DE1-05F110DF2BAD",
"versionEndExcluding": "14.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenProject is open source project management software. Prior to version 14.3.0, using a forged HOST header in the default configuration of packaged installations and using the \"Login required\" setting, an attacker could redirect to a remote host to initiate a phishing attack against an OpenProject user\u0027s account. This vulnerability affects default packaged installation of OpenProject without any additional configuration or modules on Apache (such as mod_security, manually setting a host name, having a fallthrough VirtualHost). It might also affect other installations that did not take care to fix the HOST/X-Forwarded-Host headers. Version 14.3.0 includes stronger protections for the hostname from within the application using the HostAuthorization middleware of Rails to reject any requests with a host name that does not match the configured one. Also, all generated links by the application are now ensured to use the built-in hostname. Users who aren\u0027t able to upgrade immediately may use mod_security for Apache2 or manually fix the Host and X-Forwarded-Host headers in their proxying application before reaching the application server of OpenProject. Alternatively, they can manually apply the patch to opt-in to host header protections in previous versions of OpenProject."
},
{
"lang": "es",
"value": "OpenProject es un software de gesti\u00f3n de proyectos de c\u00f3digo abierto. Antes de la versi\u00f3n 14.3.0, al usar un encabezado HOST falsificado en la configuraci\u00f3n predeterminada de las instalaciones empaquetadas y usar la configuraci\u00f3n \"Login required\", un atacante pod\u00eda redirigir a un host remoto para iniciar un ataque de phishing contra la cuenta de un usuario de OpenProject. Esta vulnerabilidad afecta la instalaci\u00f3n empaquetada predeterminada de OpenProject sin ninguna configuraci\u00f3n o m\u00f3dulos adicionales en Apache (como mod_security, configurar manualmente un nombre de host, tener un VirtualHost alternativo). Tambi\u00e9n podr\u00eda afectar a otras instalaciones que no se preocuparon de arreglar los encabezados HOST/X-Fordered-Host. La versi\u00f3n 14.3.0 incluye protecciones m\u00e1s s\u00f3lidas para el nombre de host desde la aplicaci\u00f3n utilizando el middleware HostAuthorization de Rails para rechazar cualquier solicitud con un nombre de host que no coincida con el configurado. Adem\u00e1s, ahora se garantiza que todos los enlaces generados por la aplicaci\u00f3n utilicen el nombre de host integrado. Los usuarios que no puedan actualizar inmediatamente pueden usar mod_security para Apache2 o arreglar manualmente los encabezados Host y X-Forwarded-Host en su aplicaci\u00f3n de proxy antes de llegar al servidor de aplicaciones de OpenProject. Alternativamente, pueden aplicar manualmente el parche para optar por las protecciones del encabezado del host en versiones anteriores de OpenProject."
}
],
"id": "CVE-2024-41801",
"lastModified": "2024-11-21T09:33:05.963",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-25T17:15:11.423",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/opf/openproject/security/advisories/GHSA-g92v-vrq6-4fpw"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/user-attachments/files/16371759/host-protection.patch"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://www.openproject.org/docs/release-notes/14-3-0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/opf/openproject/security/advisories/GHSA-g92v-vrq6-4fpw"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/user-attachments/files/16371759/host-protection.patch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://www.openproject.org/docs/release-notes/14-3-0"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-33960
Vulnerability from fkie_nvd - Published: 2023-06-01 17:15 - Updated: 2024-11-21 08:06
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
OpenProject is web-based project management software. For any OpenProject installation, a `robots.txt` file is generated through the server to denote which routes shall or shall not be accessed by crawlers. These routes contain project identifiers of all public projects in the instance. Prior to version 12.5.6, even if the entire instance is marked as `Login required` and prevents all truly anonymous access, the `/robots.txt` route remains publicly available.
Version 12.5.6 has a fix for this issue. Alternatively, users can download a patchfile to apply the patch to any OpenProject version greater than 10.0 As a workaround, one may mark any public project as non-public and give anyone in need of access to the project a membership.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| openproject | openproject | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C56B66DC-C671-44DD-B148-B57AD5D7A098",
"versionEndExcluding": "12.5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenProject is web-based project management software. For any OpenProject installation, a `robots.txt` file is generated through the server to denote which routes shall or shall not be accessed by crawlers. These routes contain project identifiers of all public projects in the instance. Prior to version 12.5.6, even if the entire instance is marked as `Login required` and prevents all truly anonymous access, the `/robots.txt` route remains publicly available.\n\nVersion 12.5.6 has a fix for this issue. Alternatively, users can download a patchfile to apply the patch to any OpenProject version greater than 10.0 As a workaround, one may mark any public project as non-public and give anyone in need of access to the project a membership."
}
],
"id": "CVE-2023-33960",
"lastModified": "2024-11-21T08:06:17.853",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-01T17:15:10.803",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Permissions Required"
],
"url": "https://community.openproject.org/wp/48324"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/opf/openproject/pull/12708"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/opf/openproject/releases/tag/v12.5.6"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/opf/openproject/security/advisories/GHSA-xjfc-fqm3-95q8"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://patch-diff.githubusercontent.com/raw/opf/openproject/pull/12708.patch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://community.openproject.org/wp/48324"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/opf/openproject/pull/12708"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/opf/openproject/releases/tag/v12.5.6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/opf/openproject/security/advisories/GHSA-xjfc-fqm3-95q8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://patch-diff.githubusercontent.com/raw/opf/openproject/pull/12708.patch"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-319"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-31140
Vulnerability from fkie_nvd - Published: 2023-05-08 21:15 - Updated: 2024-11-21 08:01
Severity ?
4.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary
OpenProject is open source project management software. Starting with version 7.4.0 and prior to version 12.5.4, when a user registers and confirms their first two-factor authentication (2FA) device for an account, existing logged in sessions for that user account are not terminated. Likewise, if an administrators creates a mobile phone 2FA device on behalf of a user, their existing sessions are not terminated. The issue has been resolved in OpenProject version 12.5.4 by actively terminating sessions of user accounts having registered and confirmed a 2FA device. As a workaround, users who register the first 2FA device on their account can manually log out to terminate all other active sessions. This is the default behavior of OpenProject but might be disabled through a configuration option. Double check that this option is not overridden if one plans to employ the workaround.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| openproject | openproject | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*",
"matchCriteriaId": "14C47747-7F2C-4C04-ADA2-10AC21D73708",
"versionEndExcluding": "12.5.4",
"versionStartIncluding": "7.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenProject is open source project management software. Starting with version 7.4.0 and prior to version 12.5.4, when a user registers and confirms their first two-factor authentication (2FA) device for an account, existing logged in sessions for that user account are not terminated. Likewise, if an administrators creates a mobile phone 2FA device on behalf of a user, their existing sessions are not terminated. The issue has been resolved in OpenProject version 12.5.4 by actively terminating sessions of user accounts having registered and confirmed a 2FA device. As a workaround, users who register the first 2FA device on their account can manually log out to terminate all other active sessions. This is the default behavior of OpenProject but might be disabled through a configuration option. Double check that this option is not overridden if one plans to employ the workaround."
}
],
"id": "CVE-2023-31140",
"lastModified": "2024-11-21T08:01:28.583",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-08T21:15:11.693",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit"
],
"url": "https://community.openproject.org/wp/48035"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/opf/openproject/pull/12508"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/opf/openproject/security/advisories/GHSA-xfp9-qqfj-x28q"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Release Notes"
],
"url": "https://www.openproject.org/docs/release-notes/12-5-4/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://community.openproject.org/wp/48035"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/opf/openproject/pull/12508"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/opf/openproject/security/advisories/GHSA-xfp9-qqfj-x28q"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Release Notes"
],
"url": "https://www.openproject.org/docs/release-notes/12-5-4/"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-613"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2021-43830
Vulnerability from fkie_nvd - Published: 2021-12-14 20:15 - Updated: 2024-11-21 06:29
Severity ?
7.4 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
OpenProject is a web-based project management software. OpenProject versions >= 12.0.0 are vulnerable to a SQL injection in the budgets module. For authenticated users with the "Edit budgets" permission, the request to reassign work packages to another budget unsufficiently sanitizes user input in the `reassign_to_id` parameter. The vulnerability has been fixed in version 12.0.4. Versions prior to 12.0.0 are not affected. If you're upgrading from an older version, ensure you are upgrading to at least version 12.0.4. If you are unable to upgrade in a timely fashion, the following patch can be applied: https://github.com/opf/openproject/pull/9983.patch
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/opf/openproject/pull/9983 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/opf/openproject/pull/9983.patch | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/opf/openproject/releases/tag/v12.0.4 | Release Notes, Third Party Advisory | |
| security-advisories@github.com | https://github.com/opf/openproject/security/advisories/GHSA-f565-3whr-6m96 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/opf/openproject/pull/9983 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/opf/openproject/pull/9983.patch | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/opf/openproject/releases/tag/v12.0.4 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/opf/openproject/security/advisories/GHSA-f565-3whr-6m96 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| openproject | openproject | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0DB8D80E-6001-4F98-98AE-4E96A774E4A7",
"versionEndExcluding": "12.0.4",
"versionStartIncluding": "12.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenProject is a web-based project management software. OpenProject versions \u003e= 12.0.0 are vulnerable to a SQL injection in the budgets module. For authenticated users with the \"Edit budgets\" permission, the request to reassign work packages to another budget unsufficiently sanitizes user input in the `reassign_to_id` parameter. The vulnerability has been fixed in version 12.0.4. Versions prior to 12.0.0 are not affected. If you\u0027re upgrading from an older version, ensure you are upgrading to at least version 12.0.4. If you are unable to upgrade in a timely fashion, the following patch can be applied: https://github.com/opf/openproject/pull/9983.patch"
},
{
"lang": "es",
"value": "OpenProject es un software de administraci\u00f3n de proyectos basado en la web. OpenProject versiones posteriores a 12.0.0 incluy\u00e9ndola, son vulnerables a una inyecci\u00f3n SQL en el m\u00f3dulo budgets. Para los usuarios autenticados con el permiso \"Edit budgets\", la petici\u00f3n para reasignar paquetes de trabajo a otro presupuesto no sanea suficientemente la entrada del usuario en el par\u00e1metro \"reassign_to_id\". La vulnerabilidad ha sido corregida en la versi\u00f3n 12.0.4. Las versiones anteriores a la 12.0.0 no est\u00e1n afectadas. Si est\u00e1 actualizando desde una versi\u00f3n anterior, aseg\u00farese de que est\u00e1 actualizando al menos a la versi\u00f3n 12.0.4. Si no puede actualizar a tiempo, puede aplicar el siguiente parche: https://github.com/opf/openproject/pull/9983.patch"
}
],
"id": "CVE-2021-43830",
"lastModified": "2024-11-21T06:29:53.120",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 3.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-12-14T20:15:07.813",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/opf/openproject/pull/9983"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/opf/openproject/pull/9983.patch"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/opf/openproject/releases/tag/v12.0.4"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/opf/openproject/security/advisories/GHSA-f565-3whr-6m96"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/opf/openproject/pull/9983"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/opf/openproject/pull/9983.patch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/opf/openproject/releases/tag/v12.0.4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/opf/openproject/security/advisories/GHSA-f565-3whr-6m96"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2021-32763
Vulnerability from fkie_nvd - Published: 2021-07-20 17:15 - Updated: 2024-11-21 06:07
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
OpenProject is open-source, web-based project management software. In versions prior to 11.3.3, the `MessagesController` class of OpenProject has a `quote` method that implements the logic behind the Quote button in the discussion forums, and it uses a regex to strip `<pre>` tags from the message being quoted. The `(.|\s)` part can match a space character in two ways, so an unterminated `<pre>` tag containing `n` spaces causes Ruby's regex engine to backtrack to try 2<sup>n</sup> states in the NFA. This will result in a Regular Expression Denial of Service. The issue is fixed in OpenProject 11.3.3. As a workaround, one may install the patch manually.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/opf/openproject/pull/9447.patch | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/opf/openproject/security/advisories/GHSA-qqvp-j6gm-q56f | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/opf/openproject/pull/9447.patch | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/opf/openproject/security/advisories/GHSA-qqvp-j6gm-q56f | Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| openproject | openproject | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*",
"matchCriteriaId": "366A9F4F-7BF8-41F6-8A71-4E2D58687F6E",
"versionEndExcluding": "11.3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenProject is open-source, web-based project management software. In versions prior to 11.3.3, the `MessagesController` class of OpenProject has a `quote` method that implements the logic behind the Quote button in the discussion forums, and it uses a regex to strip `\u003cpre\u003e` tags from the message being quoted. The `(.|\\s)` part can match a space character in two ways, so an unterminated `\u003cpre\u003e` tag containing `n` spaces causes Ruby\u0027s regex engine to backtrack to try 2\u003csup\u003en\u003c/sup\u003e states in the NFA. This will result in a Regular Expression Denial of Service. The issue is fixed in OpenProject 11.3.3. As a workaround, one may install the patch manually."
},
{
"lang": "es",
"value": "OpenProject es un software de administraci\u00f3n de proyectos de c\u00f3digo abierto basado en la web. En versiones anteriores a 11.3.3, la clase \"MessagesController\" de OpenProject presenta un m\u00e9todo \"quote\" que implementa la l\u00f3gica detr\u00e1s del bot\u00f3n Quote en los foros de discusi\u00f3n, y usa una regex para eliminar las etiquetas \"(pre)\" del mensaje que se est\u00e1 citando. La parte \"(.|\\s)\" puede coincidir con un car\u00e1cter de espacio de dos maneras, por lo que una etiqueta \"(pre)\" no terminada que contenga \"n\" espacios causa que el motor regex de Ruby retroceda para intentar 2(sup)n(/sup) estados en el NFA. Esto resultar\u00eda en una Denegaci\u00f3n de Servicio de Expresi\u00f3n Regular. El problema es corregido en OpenProject versi\u00f3n11.3.3. Como soluci\u00f3n, se puede instalar el parche manualmente"
}
],
"id": "CVE-2021-32763",
"lastModified": "2024-11-21T06:07:41.530",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-20T17:15:07.813",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/opf/openproject/pull/9447.patch"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/opf/openproject/security/advisories/GHSA-qqvp-j6gm-q56f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/opf/openproject/pull/9447.patch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/opf/openproject/security/advisories/GHSA-qqvp-j6gm-q56f"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-17092
Vulnerability from fkie_nvd - Published: 2019-10-09 19:15 - Updated: 2024-11-21 04:31
Severity ?
Summary
An XSS vulnerability in project list in OpenProject before 9.0.4 and 10.x before 10.0.2 allows remote attackers to inject arbitrary web script or HTML via the sortBy parameter because error messages are mishandled.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| openproject | openproject | * | |
| openproject | openproject | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BFF7E2B3-4602-442F-A743-197FF8D120A4",
"versionEndExcluding": "9.0.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E37EC824-8416-4763-A904-26EA8469CB92",
"versionEndExcluding": "10.0.2",
"versionStartIncluding": "10.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An XSS vulnerability in project list in OpenProject before 9.0.4 and 10.x before 10.0.2 allows remote attackers to inject arbitrary web script or HTML via the sortBy parameter because error messages are mishandled."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo XSS en la lista de proyectos en OpenProject versiones anteriores a 9.0.4 y versiones 10.x anteriores a 10.0.2, permite a atacantes remotos inyectar script web o HTML arbitrario por medio del par\u00e1metro sortBy porque los mensajes de error son manejados inapropiadamente."
}
],
"id": "CVE-2019-17092",
"lastModified": "2024-11-21T04:31:40.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-09T19:15:13.990",
"references": [
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/154851/OpenProject-10.0.1-9.0.3-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"url": "http://seclists.org/fulldisclosure/2019/Oct/29"
},
{
"source": "cve@mitre.org",
"url": "https://groups.google.com/forum/#%21topic/openproject-security/tEsx0UXWxXA"
},
{
"source": "cve@mitre.org",
"url": "https://seclists.org/bugtraq/2019/Oct/19"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.openproject.org/release-notes/openproject-10-0-2/"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.openproject.org/release-notes/openproject-9-0-4/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/154851/OpenProject-10.0.1-9.0.3-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2019/Oct/29"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/forum/#%21topic/openproject-security/tEsx0UXWxXA"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://seclists.org/bugtraq/2019/Oct/19"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.openproject.org/release-notes/openproject-10-0-2/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.openproject.org/release-notes/openproject-9-0-4/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-11600
Vulnerability from fkie_nvd - Published: 2019-05-13 20:29 - Updated: 2024-11-21 04:21
Severity ?
Summary
A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbitrary SQL commands via the id parameter. The attack can be performed unauthenticated if OpenProject is configured not to require authentication for API access.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| openproject | openproject | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*",
"matchCriteriaId": "63F1EDA9-AAB6-4851-B371-47DC7862C356",
"versionEndExcluding": "8.3.2",
"versionStartIncluding": "5.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbitrary SQL commands via the id parameter. The attack can be performed unauthenticated if OpenProject is configured not to require authentication for API access."
},
{
"lang": "es",
"value": "Una vulnerabilidad de inyecci\u00f3n SQL en la API de actividades en OpenProject antes de 8.3.2 permite a un atacante remoto ejecutar comandos SQL arbitrarios a trav\u00e9s del par\u00e1metro id. El ataque se puede realizar sin autenticar si OpenProject est\u00e1 configurado para no requerir autenticaci\u00f3n para el acceso a la API."
}
],
"id": "CVE-2019-11600",
"lastModified": "2024-11-21T04:21:25.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-05-13T20:29:02.697",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/152806/OpenProject-8.3.1-SQL-Injection.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2019/May/7"
},
{
"source": "cve@mitre.org",
"url": "https://groups.google.com/forum/#%21msg/openproject-security/XlucAJMxmzM/hESpOaFVAwAJ"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/bugtraq/2019/May/22"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://www.openproject.org/release-notes/openproject-8-3-2/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/152806/OpenProject-8.3.1-SQL-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2019/May/7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/forum/#%21msg/openproject-security/XlucAJMxmzM/hESpOaFVAwAJ"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/bugtraq/2019/May/22"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.openproject.org/release-notes/openproject-8-3-2/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2017-11667
Vulnerability from fkie_nvd - Published: 2017-07-26 20:29 - Updated: 2025-04-20 01:37
Severity ?
Summary
OpenProject before 6.1.6 and 7.x before 7.0.3 mishandles session expiry, which allows remote attackers to perform APIv3 requests indefinitely by leveraging a hijacked session.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| openproject | openproject | * | |
| openproject | openproject | 7.0.0 | |
| openproject | openproject | 7.0.1 | |
| openproject | openproject | 7.0.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B0509FAC-06FE-474A-832A-7C31BF61025D",
"versionEndIncluding": "6.1.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openproject:openproject:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1B7B2B4B-1A7B-4FEB-89E3-DA8BE2014C03",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openproject:openproject:7.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EA2A84EB-96AE-405A-A028-F07A5E7B7657",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openproject:openproject:7.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7E5DE2F2-197B-481E-85A6-C5784800DC67",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenProject before 6.1.6 and 7.x before 7.0.3 mishandles session expiry, which allows remote attackers to perform APIv3 requests indefinitely by leveraging a hijacked session."
},
{
"lang": "es",
"value": "OpenProject anterior a versi\u00f3n 6.1.6 y versi\u00f3n 7.x anterior a 7.0.3, maneja inapropiadamente la expiraci\u00f3n de sesi\u00f3n, lo que permite a los atacantes remotos realizar peticiones APIv3 indefinidamente aprovechando una sesi\u00f3n secuestrada."
}
],
"id": "CVE-2017-11667",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-07-26T20:29:00.223",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://github.com/opf/openproject/commit/0fdd7578909d2ec50abc275fc4962e99566437ee"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://www.openproject.org/openproject-6-1-6-released-security-fix/"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://www.openproject.org/openproject-7-0-3-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/opf/openproject/commit/0fdd7578909d2ec50abc275fc4962e99566437ee"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.openproject.org/openproject-6-1-6-released-security-fix/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.openproject.org/openproject-7-0-3-released/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-613"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2025-24892 (GCVE-0-2025-24892)
Vulnerability from cvelistv5 – Published: 2025-02-10 15:46 – Updated: 2025-02-12 15:45
VLAI?
Title
OpenProject stored HTML injection vulnerability
Summary
OpenProject is open-source, web-based project management software. In versions prior to 15.2.1, the application fails to properly sanitize user input before displaying it in the Group Management section. Groups created with HTML script tags are not properly escaped before rendering them in a project. The issue has been resolved in OpenProject version 15.2.1. Those who are unable to upgrade may apply the patch manually.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| opf | openproject |
Affected:
< 15.2.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24892",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-10T16:19:47.009601Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T15:45:38.543Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openproject",
"vendor": "opf",
"versions": [
{
"status": "affected",
"version": "\u003c 15.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenProject is open-source, web-based project management software. In versions prior to 15.2.1, the application fails to properly sanitize user input before displaying it in the Group Management section. Groups created with HTML script tags are not properly escaped before rendering them in a project. The issue has been resolved in OpenProject version 15.2.1. Those who are unable to upgrade may apply the patch manually."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-10T15:46:29.540Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/opf/openproject/security/advisories/GHSA-mg4q-ghvh-cm2j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opf/openproject/security/advisories/GHSA-mg4q-ghvh-cm2j"
},
{
"name": "https://github.com/opf/openproject/pull/17783",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opf/openproject/pull/17783"
},
{
"name": "https://patch-diff.githubusercontent.com/raw/opf/openproject/pull/17783.patch",
"tags": [
"x_refsource_MISC"
],
"url": "https://patch-diff.githubusercontent.com/raw/opf/openproject/pull/17783.patch"
},
{
"name": "https://www.openproject.org/docs/release-notes/12-5-1",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.openproject.org/docs/release-notes/12-5-1"
}
],
"source": {
"advisory": "GHSA-mg4q-ghvh-cm2j",
"discovery": "UNKNOWN"
},
"title": "OpenProject stored HTML injection vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-24892",
"datePublished": "2025-02-10T15:46:29.540Z",
"dateReserved": "2025-01-27T15:32:29.451Z",
"dateUpdated": "2025-02-12T15:45:38.543Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41801 (GCVE-0-2024-41801)
Vulnerability from cvelistv5 – Published: 2024-07-25 16:50 – Updated: 2024-08-02 04:46
VLAI?
Title
OpenProject packaged installation has Open Redirect Vulnerability in Sign-In in default configuration
Summary
OpenProject is open source project management software. Prior to version 14.3.0, using a forged HOST header in the default configuration of packaged installations and using the "Login required" setting, an attacker could redirect to a remote host to initiate a phishing attack against an OpenProject user's account. This vulnerability affects default packaged installation of OpenProject without any additional configuration or modules on Apache (such as mod_security, manually setting a host name, having a fallthrough VirtualHost). It might also affect other installations that did not take care to fix the HOST/X-Forwarded-Host headers. Version 14.3.0 includes stronger protections for the hostname from within the application using the HostAuthorization middleware of Rails to reject any requests with a host name that does not match the configured one. Also, all generated links by the application are now ensured to use the built-in hostname. Users who aren't able to upgrade immediately may use mod_security for Apache2 or manually fix the Host and X-Forwarded-Host headers in their proxying application before reaching the application server of OpenProject. Alternatively, they can manually apply the patch to opt-in to host header protections in previous versions of OpenProject.
Severity ?
4.7 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| opf | openproject |
Affected:
< 14.3.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41801",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T13:05:00.688519Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T13:05:27.296Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.668Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/opf/openproject/security/advisories/GHSA-g92v-vrq6-4fpw",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/opf/openproject/security/advisories/GHSA-g92v-vrq6-4fpw"
},
{
"name": "https://github.com/user-attachments/files/16371759/host-protection.patch",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/user-attachments/files/16371759/host-protection.patch"
},
{
"name": "https://www.openproject.org/docs/release-notes/14-3-0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.openproject.org/docs/release-notes/14-3-0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "openproject",
"vendor": "opf",
"versions": [
{
"status": "affected",
"version": "\u003c 14.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenProject is open source project management software. Prior to version 14.3.0, using a forged HOST header in the default configuration of packaged installations and using the \"Login required\" setting, an attacker could redirect to a remote host to initiate a phishing attack against an OpenProject user\u0027s account. This vulnerability affects default packaged installation of OpenProject without any additional configuration or modules on Apache (such as mod_security, manually setting a host name, having a fallthrough VirtualHost). It might also affect other installations that did not take care to fix the HOST/X-Forwarded-Host headers. Version 14.3.0 includes stronger protections for the hostname from within the application using the HostAuthorization middleware of Rails to reject any requests with a host name that does not match the configured one. Also, all generated links by the application are now ensured to use the built-in hostname. Users who aren\u0027t able to upgrade immediately may use mod_security for Apache2 or manually fix the Host and X-Forwarded-Host headers in their proxying application before reaching the application server of OpenProject. Alternatively, they can manually apply the patch to opt-in to host header protections in previous versions of OpenProject."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T16:50:16.180Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/opf/openproject/security/advisories/GHSA-g92v-vrq6-4fpw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opf/openproject/security/advisories/GHSA-g92v-vrq6-4fpw"
},
{
"name": "https://github.com/user-attachments/files/16371759/host-protection.patch",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/user-attachments/files/16371759/host-protection.patch"
},
{
"name": "https://www.openproject.org/docs/release-notes/14-3-0",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.openproject.org/docs/release-notes/14-3-0"
}
],
"source": {
"advisory": "GHSA-g92v-vrq6-4fpw",
"discovery": "UNKNOWN"
},
"title": "OpenProject packaged installation has Open Redirect Vulnerability in Sign-In in default configuration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41801",
"datePublished": "2024-07-25T16:50:16.180Z",
"dateReserved": "2024-07-22T13:57:37.135Z",
"dateUpdated": "2024-08-02T04:46:52.668Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-33960 (GCVE-0-2023-33960)
Vulnerability from cvelistv5 – Published: 2023-06-01 16:20 – Updated: 2025-01-08 21:36
VLAI?
Title
OpenProject vulnerable to project identifier information leakage through robots.txt
Summary
OpenProject is web-based project management software. For any OpenProject installation, a `robots.txt` file is generated through the server to denote which routes shall or shall not be accessed by crawlers. These routes contain project identifiers of all public projects in the instance. Prior to version 12.5.6, even if the entire instance is marked as `Login required` and prevents all truly anonymous access, the `/robots.txt` route remains publicly available.
Version 12.5.6 has a fix for this issue. Alternatively, users can download a patchfile to apply the patch to any OpenProject version greater than 10.0 As a workaround, one may mark any public project as non-public and give anyone in need of access to the project a membership.
Severity ?
7.5 (High)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| opf | openproject |
Affected:
< 12.5.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:54:14.152Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/opf/openproject/security/advisories/GHSA-xjfc-fqm3-95q8",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/opf/openproject/security/advisories/GHSA-xjfc-fqm3-95q8"
},
{
"name": "https://github.com/opf/openproject/pull/12708",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/opf/openproject/pull/12708"
},
{
"name": "https://community.openproject.org/wp/48324",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://community.openproject.org/wp/48324"
},
{
"name": "https://github.com/opf/openproject/releases/tag/v12.5.6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/opf/openproject/releases/tag/v12.5.6"
},
{
"name": "https://patch-diff.githubusercontent.com/raw/opf/openproject/pull/12708.patch",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://patch-diff.githubusercontent.com/raw/opf/openproject/pull/12708.patch"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33960",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-08T21:36:38.068605Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T21:36:47.096Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openproject",
"vendor": "opf",
"versions": [
{
"status": "affected",
"version": "\u003c 12.5.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenProject is web-based project management software. For any OpenProject installation, a `robots.txt` file is generated through the server to denote which routes shall or shall not be accessed by crawlers. These routes contain project identifiers of all public projects in the instance. Prior to version 12.5.6, even if the entire instance is marked as `Login required` and prevents all truly anonymous access, the `/robots.txt` route remains publicly available.\n\nVersion 12.5.6 has a fix for this issue. Alternatively, users can download a patchfile to apply the patch to any OpenProject version greater than 10.0 As a workaround, one may mark any public project as non-public and give anyone in need of access to the project a membership."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-01T16:20:23.714Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/opf/openproject/security/advisories/GHSA-xjfc-fqm3-95q8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opf/openproject/security/advisories/GHSA-xjfc-fqm3-95q8"
},
{
"name": "https://github.com/opf/openproject/pull/12708",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opf/openproject/pull/12708"
},
{
"name": "https://community.openproject.org/wp/48324",
"tags": [
"x_refsource_MISC"
],
"url": "https://community.openproject.org/wp/48324"
},
{
"name": "https://github.com/opf/openproject/releases/tag/v12.5.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opf/openproject/releases/tag/v12.5.6"
},
{
"name": "https://patch-diff.githubusercontent.com/raw/opf/openproject/pull/12708.patch",
"tags": [
"x_refsource_MISC"
],
"url": "https://patch-diff.githubusercontent.com/raw/opf/openproject/pull/12708.patch"
}
],
"source": {
"advisory": "GHSA-xjfc-fqm3-95q8",
"discovery": "UNKNOWN"
},
"title": "OpenProject vulnerable to project identifier information leakage through robots.txt"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-33960",
"datePublished": "2023-06-01T16:20:23.714Z",
"dateReserved": "2023-05-24T13:46:35.952Z",
"dateUpdated": "2025-01-08T21:36:47.096Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-31140 (GCVE-0-2023-31140)
Vulnerability from cvelistv5 – Published: 2023-05-08 20:27 – Updated: 2025-01-29 14:55
VLAI?
Title
OpenProject user sessions not terminated after activation of 2FA
Summary
OpenProject is open source project management software. Starting with version 7.4.0 and prior to version 12.5.4, when a user registers and confirms their first two-factor authentication (2FA) device for an account, existing logged in sessions for that user account are not terminated. Likewise, if an administrators creates a mobile phone 2FA device on behalf of a user, their existing sessions are not terminated. The issue has been resolved in OpenProject version 12.5.4 by actively terminating sessions of user accounts having registered and confirmed a 2FA device. As a workaround, users who register the first 2FA device on their account can manually log out to terminate all other active sessions. This is the default behavior of OpenProject but might be disabled through a configuration option. Double check that this option is not overridden if one plans to employ the workaround.
Severity ?
4.8 (Medium)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| opf | openproject |
Affected:
>= 7.4.0, < 12.5.4
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:45:25.820Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/opf/openproject/security/advisories/GHSA-xfp9-qqfj-x28q",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/opf/openproject/security/advisories/GHSA-xfp9-qqfj-x28q"
},
{
"name": "https://github.com/opf/openproject/pull/12508",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/opf/openproject/pull/12508"
},
{
"name": "https://community.openproject.org/wp/48035",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://community.openproject.org/wp/48035"
},
{
"name": "https://www.openproject.org/docs/release-notes/12-5-4/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.openproject.org/docs/release-notes/12-5-4/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-31140",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-29T14:55:14.858296Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-29T14:55:24.204Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openproject",
"vendor": "opf",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.4.0, \u003c 12.5.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenProject is open source project management software. Starting with version 7.4.0 and prior to version 12.5.4, when a user registers and confirms their first two-factor authentication (2FA) device for an account, existing logged in sessions for that user account are not terminated. Likewise, if an administrators creates a mobile phone 2FA device on behalf of a user, their existing sessions are not terminated. The issue has been resolved in OpenProject version 12.5.4 by actively terminating sessions of user accounts having registered and confirmed a 2FA device. As a workaround, users who register the first 2FA device on their account can manually log out to terminate all other active sessions. This is the default behavior of OpenProject but might be disabled through a configuration option. Double check that this option is not overridden if one plans to employ the workaround."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-08T20:27:48.218Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/opf/openproject/security/advisories/GHSA-xfp9-qqfj-x28q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opf/openproject/security/advisories/GHSA-xfp9-qqfj-x28q"
},
{
"name": "https://github.com/opf/openproject/pull/12508",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opf/openproject/pull/12508"
},
{
"name": "https://community.openproject.org/wp/48035",
"tags": [
"x_refsource_MISC"
],
"url": "https://community.openproject.org/wp/48035"
},
{
"name": "https://www.openproject.org/docs/release-notes/12-5-4/",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.openproject.org/docs/release-notes/12-5-4/"
}
],
"source": {
"advisory": "GHSA-xfp9-qqfj-x28q",
"discovery": "UNKNOWN"
},
"title": "OpenProject user sessions not terminated after activation of 2FA"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-31140",
"datePublished": "2023-05-08T20:27:48.218Z",
"dateReserved": "2023-04-24T21:44:10.417Z",
"dateUpdated": "2025-01-29T14:55:24.204Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43830 (GCVE-0-2021-43830)
Vulnerability from cvelistv5 – Published: 2021-12-14 19:25 – Updated: 2024-08-04 04:10
VLAI?
Title
SQL injection in OpenProject
Summary
OpenProject is a web-based project management software. OpenProject versions >= 12.0.0 are vulnerable to a SQL injection in the budgets module. For authenticated users with the "Edit budgets" permission, the request to reassign work packages to another budget unsufficiently sanitizes user input in the `reassign_to_id` parameter. The vulnerability has been fixed in version 12.0.4. Versions prior to 12.0.0 are not affected. If you're upgrading from an older version, ensure you are upgrading to at least version 12.0.4. If you are unable to upgrade in a timely fashion, the following patch can be applied: https://github.com/opf/openproject/pull/9983.patch
Severity ?
7.4 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| opf | openproject |
Affected:
>= 12.0.0, < 12.0.4
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:10:15.747Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/opf/openproject/security/advisories/GHSA-f565-3whr-6m96"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/opf/openproject/pull/9983"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/opf/openproject/pull/9983.patch"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/opf/openproject/releases/tag/v12.0.4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "openproject",
"vendor": "opf",
"versions": [
{
"status": "affected",
"version": "\u003e= 12.0.0, \u003c 12.0.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenProject is a web-based project management software. OpenProject versions \u003e= 12.0.0 are vulnerable to a SQL injection in the budgets module. For authenticated users with the \"Edit budgets\" permission, the request to reassign work packages to another budget unsufficiently sanitizes user input in the `reassign_to_id` parameter. The vulnerability has been fixed in version 12.0.4. Versions prior to 12.0.0 are not affected. If you\u0027re upgrading from an older version, ensure you are upgrading to at least version 12.0.4. If you are unable to upgrade in a timely fashion, the following patch can be applied: https://github.com/opf/openproject/pull/9983.patch"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-14T19:25:12",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opf/openproject/security/advisories/GHSA-f565-3whr-6m96"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opf/openproject/pull/9983"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opf/openproject/pull/9983.patch"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opf/openproject/releases/tag/v12.0.4"
}
],
"source": {
"advisory": "GHSA-f565-3whr-6m96",
"discovery": "UNKNOWN"
},
"title": "SQL injection in OpenProject",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-43830",
"STATE": "PUBLIC",
"TITLE": "SQL injection in OpenProject"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "openproject",
"version": {
"version_data": [
{
"version_value": "\u003e= 12.0.0, \u003c 12.0.4"
}
]
}
}
]
},
"vendor_name": "opf"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OpenProject is a web-based project management software. OpenProject versions \u003e= 12.0.0 are vulnerable to a SQL injection in the budgets module. For authenticated users with the \"Edit budgets\" permission, the request to reassign work packages to another budget unsufficiently sanitizes user input in the `reassign_to_id` parameter. The vulnerability has been fixed in version 12.0.4. Versions prior to 12.0.0 are not affected. If you\u0027re upgrading from an older version, ensure you are upgrading to at least version 12.0.4. If you are unable to upgrade in a timely fashion, the following patch can be applied: https://github.com/opf/openproject/pull/9983.patch"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/opf/openproject/security/advisories/GHSA-f565-3whr-6m96",
"refsource": "CONFIRM",
"url": "https://github.com/opf/openproject/security/advisories/GHSA-f565-3whr-6m96"
},
{
"name": "https://github.com/opf/openproject/pull/9983",
"refsource": "MISC",
"url": "https://github.com/opf/openproject/pull/9983"
},
{
"name": "https://github.com/opf/openproject/pull/9983.patch",
"refsource": "MISC",
"url": "https://github.com/opf/openproject/pull/9983.patch"
},
{
"name": "https://github.com/opf/openproject/releases/tag/v12.0.4",
"refsource": "MISC",
"url": "https://github.com/opf/openproject/releases/tag/v12.0.4"
}
]
},
"source": {
"advisory": "GHSA-f565-3whr-6m96",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-43830",
"datePublished": "2021-12-14T19:25:12",
"dateReserved": "2021-11-16T00:00:00",
"dateUpdated": "2024-08-04T04:10:15.747Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32763 (GCVE-0-2021-32763)
Vulnerability from cvelistv5 – Published: 2021-07-20 16:50 – Updated: 2024-08-03 23:33
VLAI?
Title
Regular Expression Denial of Service in OpenProject forum messages
Summary
OpenProject is open-source, web-based project management software. In versions prior to 11.3.3, the `MessagesController` class of OpenProject has a `quote` method that implements the logic behind the Quote button in the discussion forums, and it uses a regex to strip `<pre>` tags from the message being quoted. The `(.|\s)` part can match a space character in two ways, so an unterminated `<pre>` tag containing `n` spaces causes Ruby's regex engine to backtrack to try 2<sup>n</sup> states in the NFA. This will result in a Regular Expression Denial of Service. The issue is fixed in OpenProject 11.3.3. As a workaround, one may install the patch manually.
Severity ?
4.3 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| opf | openproject |
Affected:
< 11.3.3
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:33:55.735Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/opf/openproject/security/advisories/GHSA-qqvp-j6gm-q56f"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/opf/openproject/pull/9447.patch"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "openproject",
"vendor": "opf",
"versions": [
{
"status": "affected",
"version": "\u003c 11.3.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenProject is open-source, web-based project management software. In versions prior to 11.3.3, the `MessagesController` class of OpenProject has a `quote` method that implements the logic behind the Quote button in the discussion forums, and it uses a regex to strip `\u003cpre\u003e` tags from the message being quoted. The `(.|\\s)` part can match a space character in two ways, so an unterminated `\u003cpre\u003e` tag containing `n` spaces causes Ruby\u0027s regex engine to backtrack to try 2\u003csup\u003en\u003c/sup\u003e states in the NFA. This will result in a Regular Expression Denial of Service. The issue is fixed in OpenProject 11.3.3. As a workaround, one may install the patch manually."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-20T16:50:10",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opf/openproject/security/advisories/GHSA-qqvp-j6gm-q56f"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opf/openproject/pull/9447.patch"
}
],
"source": {
"advisory": "GHSA-qqvp-j6gm-q56f",
"discovery": "UNKNOWN"
},
"title": "Regular Expression Denial of Service in OpenProject forum messages",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32763",
"STATE": "PUBLIC",
"TITLE": "Regular Expression Denial of Service in OpenProject forum messages"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "openproject",
"version": {
"version_data": [
{
"version_value": "\u003c 11.3.3"
}
]
}
}
]
},
"vendor_name": "opf"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OpenProject is open-source, web-based project management software. In versions prior to 11.3.3, the `MessagesController` class of OpenProject has a `quote` method that implements the logic behind the Quote button in the discussion forums, and it uses a regex to strip `\u003cpre\u003e` tags from the message being quoted. The `(.|\\s)` part can match a space character in two ways, so an unterminated `\u003cpre\u003e` tag containing `n` spaces causes Ruby\u0027s regex engine to backtrack to try 2\u003csup\u003en\u003c/sup\u003e states in the NFA. This will result in a Regular Expression Denial of Service. The issue is fixed in OpenProject 11.3.3. As a workaround, one may install the patch manually."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400: Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/opf/openproject/security/advisories/GHSA-qqvp-j6gm-q56f",
"refsource": "CONFIRM",
"url": "https://github.com/opf/openproject/security/advisories/GHSA-qqvp-j6gm-q56f"
},
{
"name": "https://github.com/opf/openproject/pull/9447.patch",
"refsource": "MISC",
"url": "https://github.com/opf/openproject/pull/9447.patch"
}
]
},
"source": {
"advisory": "GHSA-qqvp-j6gm-q56f",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32763",
"datePublished": "2021-07-20T16:50:10",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:33:55.735Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-17092 (GCVE-0-2019-17092)
Vulnerability from cvelistv5 – Published: 2019-10-09 18:22 – Updated: 2024-08-05 01:33
VLAI?
Summary
An XSS vulnerability in project list in OpenProject before 9.0.4 and 10.x before 10.0.2 allows remote attackers to inject arbitrary web script or HTML via the sortBy parameter because error messages are mishandled.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:33:16.898Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.openproject.org/release-notes/openproject-10-0-2/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.openproject.org/release-notes/openproject-9-0-4/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://groups.google.com/forum/#%21topic/openproject-security/tEsx0UXWxXA"
},
{
"name": "20191014 SEC Consult SA-20191014-0 :: Reflected XSS vulnerability in OpenProject",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2019/Oct/29"
},
{
"name": "20191014 SEC Consult SA-20191014-0 :: Reflected XSS vulnerability in OpenProject",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "https://seclists.org/bugtraq/2019/Oct/19"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/154851/OpenProject-10.0.1-9.0.3-Cross-Site-Scripting.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An XSS vulnerability in project list in OpenProject before 9.0.4 and 10.x before 10.0.2 allows remote attackers to inject arbitrary web script or HTML via the sortBy parameter because error messages are mishandled."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-15T01:06:05",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.openproject.org/release-notes/openproject-10-0-2/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.openproject.org/release-notes/openproject-9-0-4/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://groups.google.com/forum/#%21topic/openproject-security/tEsx0UXWxXA"
},
{
"name": "20191014 SEC Consult SA-20191014-0 :: Reflected XSS vulnerability in OpenProject",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2019/Oct/29"
},
{
"name": "20191014 SEC Consult SA-20191014-0 :: Reflected XSS vulnerability in OpenProject",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "https://seclists.org/bugtraq/2019/Oct/19"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/154851/OpenProject-10.0.1-9.0.3-Cross-Site-Scripting.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17092",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An XSS vulnerability in project list in OpenProject before 9.0.4 and 10.x before 10.0.2 allows remote attackers to inject arbitrary web script or HTML via the sortBy parameter because error messages are mishandled."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.openproject.org/release-notes/openproject-10-0-2/",
"refsource": "CONFIRM",
"url": "https://www.openproject.org/release-notes/openproject-10-0-2/"
},
{
"name": "https://www.openproject.org/release-notes/openproject-9-0-4/",
"refsource": "CONFIRM",
"url": "https://www.openproject.org/release-notes/openproject-9-0-4/"
},
{
"name": "https://groups.google.com/forum/#!topic/openproject-security/tEsx0UXWxXA",
"refsource": "MISC",
"url": "https://groups.google.com/forum/#!topic/openproject-security/tEsx0UXWxXA"
},
{
"name": "20191014 SEC Consult SA-20191014-0 :: Reflected XSS vulnerability in OpenProject",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2019/Oct/29"
},
{
"name": "20191014 SEC Consult SA-20191014-0 :: Reflected XSS vulnerability in OpenProject",
"refsource": "BUGTRAQ",
"url": "https://seclists.org/bugtraq/2019/Oct/19"
},
{
"name": "http://packetstormsecurity.com/files/154851/OpenProject-10.0.1-9.0.3-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/154851/OpenProject-10.0.1-9.0.3-Cross-Site-Scripting.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-17092",
"datePublished": "2019-10-09T18:22:45",
"dateReserved": "2019-10-02T00:00:00",
"dateUpdated": "2024-08-05T01:33:16.898Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-11600 (GCVE-0-2019-11600)
Vulnerability from cvelistv5 – Published: 2019-05-13 19:57 – Updated: 2024-08-04 22:55
VLAI?
Summary
A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbitrary SQL commands via the id parameter. The attack can be performed unauthenticated if OpenProject is configured not to require authentication for API access.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:55:41.165Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20190510 SEC Consult SA-20190510-0 :: Unauthenticated SQL Injection vulnerability in OpenProject",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2019/May/7"
},
{
"name": "20190510 SEC Consult SA-20190510-0 :: Unauthenticated SQL Injection vulnerability in OpenProject",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "https://seclists.org/bugtraq/2019/May/22"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/152806/OpenProject-8.3.1-SQL-Injection.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.openproject.org/release-notes/openproject-8-3-2/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://groups.google.com/forum/#%21msg/openproject-security/XlucAJMxmzM/hESpOaFVAwAJ"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2019-05-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbitrary SQL commands via the id parameter. The attack can be performed unauthenticated if OpenProject is configured not to require authentication for API access."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-13T19:57:47",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20190510 SEC Consult SA-20190510-0 :: Unauthenticated SQL Injection vulnerability in OpenProject",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2019/May/7"
},
{
"name": "20190510 SEC Consult SA-20190510-0 :: Unauthenticated SQL Injection vulnerability in OpenProject",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "https://seclists.org/bugtraq/2019/May/22"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/152806/OpenProject-8.3.1-SQL-Injection.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.openproject.org/release-notes/openproject-8-3-2/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://groups.google.com/forum/#%21msg/openproject-security/XlucAJMxmzM/hESpOaFVAwAJ"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-11600",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbitrary SQL commands via the id parameter. The attack can be performed unauthenticated if OpenProject is configured not to require authentication for API access."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20190510 SEC Consult SA-20190510-0 :: Unauthenticated SQL Injection vulnerability in OpenProject",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2019/May/7"
},
{
"name": "20190510 SEC Consult SA-20190510-0 :: Unauthenticated SQL Injection vulnerability in OpenProject",
"refsource": "BUGTRAQ",
"url": "https://seclists.org/bugtraq/2019/May/22"
},
{
"name": "http://packetstormsecurity.com/files/152806/OpenProject-8.3.1-SQL-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/152806/OpenProject-8.3.1-SQL-Injection.html"
},
{
"name": "https://www.openproject.org/release-notes/openproject-8-3-2/",
"refsource": "CONFIRM",
"url": "https://www.openproject.org/release-notes/openproject-8-3-2/"
},
{
"name": "https://groups.google.com/forum/#!msg/openproject-security/XlucAJMxmzM/hESpOaFVAwAJ",
"refsource": "MISC",
"url": "https://groups.google.com/forum/#!msg/openproject-security/XlucAJMxmzM/hESpOaFVAwAJ"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-11600",
"datePublished": "2019-05-13T19:57:47",
"dateReserved": "2019-04-30T00:00:00",
"dateUpdated": "2024-08-04T22:55:41.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-11667 (GCVE-0-2017-11667)
Vulnerability from cvelistv5 – Published: 2017-07-26 20:00 – Updated: 2024-09-16 18:18
VLAI?
Summary
OpenProject before 6.1.6 and 7.x before 7.0.3 mishandles session expiry, which allows remote attackers to perform APIv3 requests indefinitely by leveraging a hijacked session.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T18:12:40.599Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.openproject.org/openproject-6-1-6-released-security-fix/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.openproject.org/openproject-7-0-3-released/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/opf/openproject/commit/0fdd7578909d2ec50abc275fc4962e99566437ee"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenProject before 6.1.6 and 7.x before 7.0.3 mishandles session expiry, which allows remote attackers to perform APIv3 requests indefinitely by leveraging a hijacked session."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-26T20:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.openproject.org/openproject-6-1-6-released-security-fix/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.openproject.org/openproject-7-0-3-released/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opf/openproject/commit/0fdd7578909d2ec50abc275fc4962e99566437ee"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-11667",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OpenProject before 6.1.6 and 7.x before 7.0.3 mishandles session expiry, which allows remote attackers to perform APIv3 requests indefinitely by leveraging a hijacked session."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.openproject.org/openproject-6-1-6-released-security-fix/",
"refsource": "CONFIRM",
"url": "https://www.openproject.org/openproject-6-1-6-released-security-fix/"
},
{
"name": "https://www.openproject.org/openproject-7-0-3-released/",
"refsource": "CONFIRM",
"url": "https://www.openproject.org/openproject-7-0-3-released/"
},
{
"name": "https://github.com/opf/openproject/commit/0fdd7578909d2ec50abc275fc4962e99566437ee",
"refsource": "CONFIRM",
"url": "https://github.com/opf/openproject/commit/0fdd7578909d2ec50abc275fc4962e99566437ee"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-11667",
"datePublished": "2017-07-26T20:00:00Z",
"dateReserved": "2017-07-26T00:00:00Z",
"dateUpdated": "2024-09-16T18:18:09.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-24892 (GCVE-0-2025-24892)
Vulnerability from nvd – Published: 2025-02-10 15:46 – Updated: 2025-02-12 15:45
VLAI?
Title
OpenProject stored HTML injection vulnerability
Summary
OpenProject is open-source, web-based project management software. In versions prior to 15.2.1, the application fails to properly sanitize user input before displaying it in the Group Management section. Groups created with HTML script tags are not properly escaped before rendering them in a project. The issue has been resolved in OpenProject version 15.2.1. Those who are unable to upgrade may apply the patch manually.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| opf | openproject |
Affected:
< 15.2.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24892",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-10T16:19:47.009601Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T15:45:38.543Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openproject",
"vendor": "opf",
"versions": [
{
"status": "affected",
"version": "\u003c 15.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenProject is open-source, web-based project management software. In versions prior to 15.2.1, the application fails to properly sanitize user input before displaying it in the Group Management section. Groups created with HTML script tags are not properly escaped before rendering them in a project. The issue has been resolved in OpenProject version 15.2.1. Those who are unable to upgrade may apply the patch manually."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-10T15:46:29.540Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/opf/openproject/security/advisories/GHSA-mg4q-ghvh-cm2j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opf/openproject/security/advisories/GHSA-mg4q-ghvh-cm2j"
},
{
"name": "https://github.com/opf/openproject/pull/17783",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opf/openproject/pull/17783"
},
{
"name": "https://patch-diff.githubusercontent.com/raw/opf/openproject/pull/17783.patch",
"tags": [
"x_refsource_MISC"
],
"url": "https://patch-diff.githubusercontent.com/raw/opf/openproject/pull/17783.patch"
},
{
"name": "https://www.openproject.org/docs/release-notes/12-5-1",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.openproject.org/docs/release-notes/12-5-1"
}
],
"source": {
"advisory": "GHSA-mg4q-ghvh-cm2j",
"discovery": "UNKNOWN"
},
"title": "OpenProject stored HTML injection vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-24892",
"datePublished": "2025-02-10T15:46:29.540Z",
"dateReserved": "2025-01-27T15:32:29.451Z",
"dateUpdated": "2025-02-12T15:45:38.543Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41801 (GCVE-0-2024-41801)
Vulnerability from nvd – Published: 2024-07-25 16:50 – Updated: 2024-08-02 04:46
VLAI?
Title
OpenProject packaged installation has Open Redirect Vulnerability in Sign-In in default configuration
Summary
OpenProject is open source project management software. Prior to version 14.3.0, using a forged HOST header in the default configuration of packaged installations and using the "Login required" setting, an attacker could redirect to a remote host to initiate a phishing attack against an OpenProject user's account. This vulnerability affects default packaged installation of OpenProject without any additional configuration or modules on Apache (such as mod_security, manually setting a host name, having a fallthrough VirtualHost). It might also affect other installations that did not take care to fix the HOST/X-Forwarded-Host headers. Version 14.3.0 includes stronger protections for the hostname from within the application using the HostAuthorization middleware of Rails to reject any requests with a host name that does not match the configured one. Also, all generated links by the application are now ensured to use the built-in hostname. Users who aren't able to upgrade immediately may use mod_security for Apache2 or manually fix the Host and X-Forwarded-Host headers in their proxying application before reaching the application server of OpenProject. Alternatively, they can manually apply the patch to opt-in to host header protections in previous versions of OpenProject.
Severity ?
4.7 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| opf | openproject |
Affected:
< 14.3.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41801",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T13:05:00.688519Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T13:05:27.296Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.668Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/opf/openproject/security/advisories/GHSA-g92v-vrq6-4fpw",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/opf/openproject/security/advisories/GHSA-g92v-vrq6-4fpw"
},
{
"name": "https://github.com/user-attachments/files/16371759/host-protection.patch",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/user-attachments/files/16371759/host-protection.patch"
},
{
"name": "https://www.openproject.org/docs/release-notes/14-3-0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.openproject.org/docs/release-notes/14-3-0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "openproject",
"vendor": "opf",
"versions": [
{
"status": "affected",
"version": "\u003c 14.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenProject is open source project management software. Prior to version 14.3.0, using a forged HOST header in the default configuration of packaged installations and using the \"Login required\" setting, an attacker could redirect to a remote host to initiate a phishing attack against an OpenProject user\u0027s account. This vulnerability affects default packaged installation of OpenProject without any additional configuration or modules on Apache (such as mod_security, manually setting a host name, having a fallthrough VirtualHost). It might also affect other installations that did not take care to fix the HOST/X-Forwarded-Host headers. Version 14.3.0 includes stronger protections for the hostname from within the application using the HostAuthorization middleware of Rails to reject any requests with a host name that does not match the configured one. Also, all generated links by the application are now ensured to use the built-in hostname. Users who aren\u0027t able to upgrade immediately may use mod_security for Apache2 or manually fix the Host and X-Forwarded-Host headers in their proxying application before reaching the application server of OpenProject. Alternatively, they can manually apply the patch to opt-in to host header protections in previous versions of OpenProject."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T16:50:16.180Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/opf/openproject/security/advisories/GHSA-g92v-vrq6-4fpw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opf/openproject/security/advisories/GHSA-g92v-vrq6-4fpw"
},
{
"name": "https://github.com/user-attachments/files/16371759/host-protection.patch",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/user-attachments/files/16371759/host-protection.patch"
},
{
"name": "https://www.openproject.org/docs/release-notes/14-3-0",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.openproject.org/docs/release-notes/14-3-0"
}
],
"source": {
"advisory": "GHSA-g92v-vrq6-4fpw",
"discovery": "UNKNOWN"
},
"title": "OpenProject packaged installation has Open Redirect Vulnerability in Sign-In in default configuration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41801",
"datePublished": "2024-07-25T16:50:16.180Z",
"dateReserved": "2024-07-22T13:57:37.135Z",
"dateUpdated": "2024-08-02T04:46:52.668Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-33960 (GCVE-0-2023-33960)
Vulnerability from nvd – Published: 2023-06-01 16:20 – Updated: 2025-01-08 21:36
VLAI?
Title
OpenProject vulnerable to project identifier information leakage through robots.txt
Summary
OpenProject is web-based project management software. For any OpenProject installation, a `robots.txt` file is generated through the server to denote which routes shall or shall not be accessed by crawlers. These routes contain project identifiers of all public projects in the instance. Prior to version 12.5.6, even if the entire instance is marked as `Login required` and prevents all truly anonymous access, the `/robots.txt` route remains publicly available.
Version 12.5.6 has a fix for this issue. Alternatively, users can download a patchfile to apply the patch to any OpenProject version greater than 10.0 As a workaround, one may mark any public project as non-public and give anyone in need of access to the project a membership.
Severity ?
7.5 (High)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| opf | openproject |
Affected:
< 12.5.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:54:14.152Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/opf/openproject/security/advisories/GHSA-xjfc-fqm3-95q8",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/opf/openproject/security/advisories/GHSA-xjfc-fqm3-95q8"
},
{
"name": "https://github.com/opf/openproject/pull/12708",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/opf/openproject/pull/12708"
},
{
"name": "https://community.openproject.org/wp/48324",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://community.openproject.org/wp/48324"
},
{
"name": "https://github.com/opf/openproject/releases/tag/v12.5.6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/opf/openproject/releases/tag/v12.5.6"
},
{
"name": "https://patch-diff.githubusercontent.com/raw/opf/openproject/pull/12708.patch",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://patch-diff.githubusercontent.com/raw/opf/openproject/pull/12708.patch"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33960",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-08T21:36:38.068605Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T21:36:47.096Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openproject",
"vendor": "opf",
"versions": [
{
"status": "affected",
"version": "\u003c 12.5.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenProject is web-based project management software. For any OpenProject installation, a `robots.txt` file is generated through the server to denote which routes shall or shall not be accessed by crawlers. These routes contain project identifiers of all public projects in the instance. Prior to version 12.5.6, even if the entire instance is marked as `Login required` and prevents all truly anonymous access, the `/robots.txt` route remains publicly available.\n\nVersion 12.5.6 has a fix for this issue. Alternatively, users can download a patchfile to apply the patch to any OpenProject version greater than 10.0 As a workaround, one may mark any public project as non-public and give anyone in need of access to the project a membership."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-01T16:20:23.714Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/opf/openproject/security/advisories/GHSA-xjfc-fqm3-95q8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opf/openproject/security/advisories/GHSA-xjfc-fqm3-95q8"
},
{
"name": "https://github.com/opf/openproject/pull/12708",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opf/openproject/pull/12708"
},
{
"name": "https://community.openproject.org/wp/48324",
"tags": [
"x_refsource_MISC"
],
"url": "https://community.openproject.org/wp/48324"
},
{
"name": "https://github.com/opf/openproject/releases/tag/v12.5.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opf/openproject/releases/tag/v12.5.6"
},
{
"name": "https://patch-diff.githubusercontent.com/raw/opf/openproject/pull/12708.patch",
"tags": [
"x_refsource_MISC"
],
"url": "https://patch-diff.githubusercontent.com/raw/opf/openproject/pull/12708.patch"
}
],
"source": {
"advisory": "GHSA-xjfc-fqm3-95q8",
"discovery": "UNKNOWN"
},
"title": "OpenProject vulnerable to project identifier information leakage through robots.txt"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-33960",
"datePublished": "2023-06-01T16:20:23.714Z",
"dateReserved": "2023-05-24T13:46:35.952Z",
"dateUpdated": "2025-01-08T21:36:47.096Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-31140 (GCVE-0-2023-31140)
Vulnerability from nvd – Published: 2023-05-08 20:27 – Updated: 2025-01-29 14:55
VLAI?
Title
OpenProject user sessions not terminated after activation of 2FA
Summary
OpenProject is open source project management software. Starting with version 7.4.0 and prior to version 12.5.4, when a user registers and confirms their first two-factor authentication (2FA) device for an account, existing logged in sessions for that user account are not terminated. Likewise, if an administrators creates a mobile phone 2FA device on behalf of a user, their existing sessions are not terminated. The issue has been resolved in OpenProject version 12.5.4 by actively terminating sessions of user accounts having registered and confirmed a 2FA device. As a workaround, users who register the first 2FA device on their account can manually log out to terminate all other active sessions. This is the default behavior of OpenProject but might be disabled through a configuration option. Double check that this option is not overridden if one plans to employ the workaround.
Severity ?
4.8 (Medium)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| opf | openproject |
Affected:
>= 7.4.0, < 12.5.4
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:45:25.820Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/opf/openproject/security/advisories/GHSA-xfp9-qqfj-x28q",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/opf/openproject/security/advisories/GHSA-xfp9-qqfj-x28q"
},
{
"name": "https://github.com/opf/openproject/pull/12508",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/opf/openproject/pull/12508"
},
{
"name": "https://community.openproject.org/wp/48035",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://community.openproject.org/wp/48035"
},
{
"name": "https://www.openproject.org/docs/release-notes/12-5-4/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.openproject.org/docs/release-notes/12-5-4/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-31140",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-29T14:55:14.858296Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-29T14:55:24.204Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openproject",
"vendor": "opf",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.4.0, \u003c 12.5.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenProject is open source project management software. Starting with version 7.4.0 and prior to version 12.5.4, when a user registers and confirms their first two-factor authentication (2FA) device for an account, existing logged in sessions for that user account are not terminated. Likewise, if an administrators creates a mobile phone 2FA device on behalf of a user, their existing sessions are not terminated. The issue has been resolved in OpenProject version 12.5.4 by actively terminating sessions of user accounts having registered and confirmed a 2FA device. As a workaround, users who register the first 2FA device on their account can manually log out to terminate all other active sessions. This is the default behavior of OpenProject but might be disabled through a configuration option. Double check that this option is not overridden if one plans to employ the workaround."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-08T20:27:48.218Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/opf/openproject/security/advisories/GHSA-xfp9-qqfj-x28q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opf/openproject/security/advisories/GHSA-xfp9-qqfj-x28q"
},
{
"name": "https://github.com/opf/openproject/pull/12508",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opf/openproject/pull/12508"
},
{
"name": "https://community.openproject.org/wp/48035",
"tags": [
"x_refsource_MISC"
],
"url": "https://community.openproject.org/wp/48035"
},
{
"name": "https://www.openproject.org/docs/release-notes/12-5-4/",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.openproject.org/docs/release-notes/12-5-4/"
}
],
"source": {
"advisory": "GHSA-xfp9-qqfj-x28q",
"discovery": "UNKNOWN"
},
"title": "OpenProject user sessions not terminated after activation of 2FA"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-31140",
"datePublished": "2023-05-08T20:27:48.218Z",
"dateReserved": "2023-04-24T21:44:10.417Z",
"dateUpdated": "2025-01-29T14:55:24.204Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43830 (GCVE-0-2021-43830)
Vulnerability from nvd – Published: 2021-12-14 19:25 – Updated: 2024-08-04 04:10
VLAI?
Title
SQL injection in OpenProject
Summary
OpenProject is a web-based project management software. OpenProject versions >= 12.0.0 are vulnerable to a SQL injection in the budgets module. For authenticated users with the "Edit budgets" permission, the request to reassign work packages to another budget unsufficiently sanitizes user input in the `reassign_to_id` parameter. The vulnerability has been fixed in version 12.0.4. Versions prior to 12.0.0 are not affected. If you're upgrading from an older version, ensure you are upgrading to at least version 12.0.4. If you are unable to upgrade in a timely fashion, the following patch can be applied: https://github.com/opf/openproject/pull/9983.patch
Severity ?
7.4 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| opf | openproject |
Affected:
>= 12.0.0, < 12.0.4
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:10:15.747Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/opf/openproject/security/advisories/GHSA-f565-3whr-6m96"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/opf/openproject/pull/9983"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/opf/openproject/pull/9983.patch"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/opf/openproject/releases/tag/v12.0.4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "openproject",
"vendor": "opf",
"versions": [
{
"status": "affected",
"version": "\u003e= 12.0.0, \u003c 12.0.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenProject is a web-based project management software. OpenProject versions \u003e= 12.0.0 are vulnerable to a SQL injection in the budgets module. For authenticated users with the \"Edit budgets\" permission, the request to reassign work packages to another budget unsufficiently sanitizes user input in the `reassign_to_id` parameter. The vulnerability has been fixed in version 12.0.4. Versions prior to 12.0.0 are not affected. If you\u0027re upgrading from an older version, ensure you are upgrading to at least version 12.0.4. If you are unable to upgrade in a timely fashion, the following patch can be applied: https://github.com/opf/openproject/pull/9983.patch"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-14T19:25:12",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opf/openproject/security/advisories/GHSA-f565-3whr-6m96"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opf/openproject/pull/9983"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opf/openproject/pull/9983.patch"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opf/openproject/releases/tag/v12.0.4"
}
],
"source": {
"advisory": "GHSA-f565-3whr-6m96",
"discovery": "UNKNOWN"
},
"title": "SQL injection in OpenProject",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-43830",
"STATE": "PUBLIC",
"TITLE": "SQL injection in OpenProject"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "openproject",
"version": {
"version_data": [
{
"version_value": "\u003e= 12.0.0, \u003c 12.0.4"
}
]
}
}
]
},
"vendor_name": "opf"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OpenProject is a web-based project management software. OpenProject versions \u003e= 12.0.0 are vulnerable to a SQL injection in the budgets module. For authenticated users with the \"Edit budgets\" permission, the request to reassign work packages to another budget unsufficiently sanitizes user input in the `reassign_to_id` parameter. The vulnerability has been fixed in version 12.0.4. Versions prior to 12.0.0 are not affected. If you\u0027re upgrading from an older version, ensure you are upgrading to at least version 12.0.4. If you are unable to upgrade in a timely fashion, the following patch can be applied: https://github.com/opf/openproject/pull/9983.patch"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/opf/openproject/security/advisories/GHSA-f565-3whr-6m96",
"refsource": "CONFIRM",
"url": "https://github.com/opf/openproject/security/advisories/GHSA-f565-3whr-6m96"
},
{
"name": "https://github.com/opf/openproject/pull/9983",
"refsource": "MISC",
"url": "https://github.com/opf/openproject/pull/9983"
},
{
"name": "https://github.com/opf/openproject/pull/9983.patch",
"refsource": "MISC",
"url": "https://github.com/opf/openproject/pull/9983.patch"
},
{
"name": "https://github.com/opf/openproject/releases/tag/v12.0.4",
"refsource": "MISC",
"url": "https://github.com/opf/openproject/releases/tag/v12.0.4"
}
]
},
"source": {
"advisory": "GHSA-f565-3whr-6m96",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-43830",
"datePublished": "2021-12-14T19:25:12",
"dateReserved": "2021-11-16T00:00:00",
"dateUpdated": "2024-08-04T04:10:15.747Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32763 (GCVE-0-2021-32763)
Vulnerability from nvd – Published: 2021-07-20 16:50 – Updated: 2024-08-03 23:33
VLAI?
Title
Regular Expression Denial of Service in OpenProject forum messages
Summary
OpenProject is open-source, web-based project management software. In versions prior to 11.3.3, the `MessagesController` class of OpenProject has a `quote` method that implements the logic behind the Quote button in the discussion forums, and it uses a regex to strip `<pre>` tags from the message being quoted. The `(.|\s)` part can match a space character in two ways, so an unterminated `<pre>` tag containing `n` spaces causes Ruby's regex engine to backtrack to try 2<sup>n</sup> states in the NFA. This will result in a Regular Expression Denial of Service. The issue is fixed in OpenProject 11.3.3. As a workaround, one may install the patch manually.
Severity ?
4.3 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| opf | openproject |
Affected:
< 11.3.3
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:33:55.735Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/opf/openproject/security/advisories/GHSA-qqvp-j6gm-q56f"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/opf/openproject/pull/9447.patch"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "openproject",
"vendor": "opf",
"versions": [
{
"status": "affected",
"version": "\u003c 11.3.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenProject is open-source, web-based project management software. In versions prior to 11.3.3, the `MessagesController` class of OpenProject has a `quote` method that implements the logic behind the Quote button in the discussion forums, and it uses a regex to strip `\u003cpre\u003e` tags from the message being quoted. The `(.|\\s)` part can match a space character in two ways, so an unterminated `\u003cpre\u003e` tag containing `n` spaces causes Ruby\u0027s regex engine to backtrack to try 2\u003csup\u003en\u003c/sup\u003e states in the NFA. This will result in a Regular Expression Denial of Service. The issue is fixed in OpenProject 11.3.3. As a workaround, one may install the patch manually."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-20T16:50:10",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opf/openproject/security/advisories/GHSA-qqvp-j6gm-q56f"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opf/openproject/pull/9447.patch"
}
],
"source": {
"advisory": "GHSA-qqvp-j6gm-q56f",
"discovery": "UNKNOWN"
},
"title": "Regular Expression Denial of Service in OpenProject forum messages",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32763",
"STATE": "PUBLIC",
"TITLE": "Regular Expression Denial of Service in OpenProject forum messages"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "openproject",
"version": {
"version_data": [
{
"version_value": "\u003c 11.3.3"
}
]
}
}
]
},
"vendor_name": "opf"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OpenProject is open-source, web-based project management software. In versions prior to 11.3.3, the `MessagesController` class of OpenProject has a `quote` method that implements the logic behind the Quote button in the discussion forums, and it uses a regex to strip `\u003cpre\u003e` tags from the message being quoted. The `(.|\\s)` part can match a space character in two ways, so an unterminated `\u003cpre\u003e` tag containing `n` spaces causes Ruby\u0027s regex engine to backtrack to try 2\u003csup\u003en\u003c/sup\u003e states in the NFA. This will result in a Regular Expression Denial of Service. The issue is fixed in OpenProject 11.3.3. As a workaround, one may install the patch manually."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400: Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/opf/openproject/security/advisories/GHSA-qqvp-j6gm-q56f",
"refsource": "CONFIRM",
"url": "https://github.com/opf/openproject/security/advisories/GHSA-qqvp-j6gm-q56f"
},
{
"name": "https://github.com/opf/openproject/pull/9447.patch",
"refsource": "MISC",
"url": "https://github.com/opf/openproject/pull/9447.patch"
}
]
},
"source": {
"advisory": "GHSA-qqvp-j6gm-q56f",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32763",
"datePublished": "2021-07-20T16:50:10",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:33:55.735Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-17092 (GCVE-0-2019-17092)
Vulnerability from nvd – Published: 2019-10-09 18:22 – Updated: 2024-08-05 01:33
VLAI?
Summary
An XSS vulnerability in project list in OpenProject before 9.0.4 and 10.x before 10.0.2 allows remote attackers to inject arbitrary web script or HTML via the sortBy parameter because error messages are mishandled.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:33:16.898Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.openproject.org/release-notes/openproject-10-0-2/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.openproject.org/release-notes/openproject-9-0-4/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://groups.google.com/forum/#%21topic/openproject-security/tEsx0UXWxXA"
},
{
"name": "20191014 SEC Consult SA-20191014-0 :: Reflected XSS vulnerability in OpenProject",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2019/Oct/29"
},
{
"name": "20191014 SEC Consult SA-20191014-0 :: Reflected XSS vulnerability in OpenProject",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "https://seclists.org/bugtraq/2019/Oct/19"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/154851/OpenProject-10.0.1-9.0.3-Cross-Site-Scripting.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An XSS vulnerability in project list in OpenProject before 9.0.4 and 10.x before 10.0.2 allows remote attackers to inject arbitrary web script or HTML via the sortBy parameter because error messages are mishandled."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-15T01:06:05",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.openproject.org/release-notes/openproject-10-0-2/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.openproject.org/release-notes/openproject-9-0-4/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://groups.google.com/forum/#%21topic/openproject-security/tEsx0UXWxXA"
},
{
"name": "20191014 SEC Consult SA-20191014-0 :: Reflected XSS vulnerability in OpenProject",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2019/Oct/29"
},
{
"name": "20191014 SEC Consult SA-20191014-0 :: Reflected XSS vulnerability in OpenProject",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "https://seclists.org/bugtraq/2019/Oct/19"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/154851/OpenProject-10.0.1-9.0.3-Cross-Site-Scripting.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17092",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An XSS vulnerability in project list in OpenProject before 9.0.4 and 10.x before 10.0.2 allows remote attackers to inject arbitrary web script or HTML via the sortBy parameter because error messages are mishandled."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.openproject.org/release-notes/openproject-10-0-2/",
"refsource": "CONFIRM",
"url": "https://www.openproject.org/release-notes/openproject-10-0-2/"
},
{
"name": "https://www.openproject.org/release-notes/openproject-9-0-4/",
"refsource": "CONFIRM",
"url": "https://www.openproject.org/release-notes/openproject-9-0-4/"
},
{
"name": "https://groups.google.com/forum/#!topic/openproject-security/tEsx0UXWxXA",
"refsource": "MISC",
"url": "https://groups.google.com/forum/#!topic/openproject-security/tEsx0UXWxXA"
},
{
"name": "20191014 SEC Consult SA-20191014-0 :: Reflected XSS vulnerability in OpenProject",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2019/Oct/29"
},
{
"name": "20191014 SEC Consult SA-20191014-0 :: Reflected XSS vulnerability in OpenProject",
"refsource": "BUGTRAQ",
"url": "https://seclists.org/bugtraq/2019/Oct/19"
},
{
"name": "http://packetstormsecurity.com/files/154851/OpenProject-10.0.1-9.0.3-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/154851/OpenProject-10.0.1-9.0.3-Cross-Site-Scripting.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-17092",
"datePublished": "2019-10-09T18:22:45",
"dateReserved": "2019-10-02T00:00:00",
"dateUpdated": "2024-08-05T01:33:16.898Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-11600 (GCVE-0-2019-11600)
Vulnerability from nvd – Published: 2019-05-13 19:57 – Updated: 2024-08-04 22:55
VLAI?
Summary
A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbitrary SQL commands via the id parameter. The attack can be performed unauthenticated if OpenProject is configured not to require authentication for API access.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:55:41.165Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20190510 SEC Consult SA-20190510-0 :: Unauthenticated SQL Injection vulnerability in OpenProject",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2019/May/7"
},
{
"name": "20190510 SEC Consult SA-20190510-0 :: Unauthenticated SQL Injection vulnerability in OpenProject",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "https://seclists.org/bugtraq/2019/May/22"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/152806/OpenProject-8.3.1-SQL-Injection.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.openproject.org/release-notes/openproject-8-3-2/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://groups.google.com/forum/#%21msg/openproject-security/XlucAJMxmzM/hESpOaFVAwAJ"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2019-05-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbitrary SQL commands via the id parameter. The attack can be performed unauthenticated if OpenProject is configured not to require authentication for API access."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-13T19:57:47",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20190510 SEC Consult SA-20190510-0 :: Unauthenticated SQL Injection vulnerability in OpenProject",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2019/May/7"
},
{
"name": "20190510 SEC Consult SA-20190510-0 :: Unauthenticated SQL Injection vulnerability in OpenProject",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "https://seclists.org/bugtraq/2019/May/22"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/152806/OpenProject-8.3.1-SQL-Injection.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.openproject.org/release-notes/openproject-8-3-2/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://groups.google.com/forum/#%21msg/openproject-security/XlucAJMxmzM/hESpOaFVAwAJ"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-11600",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbitrary SQL commands via the id parameter. The attack can be performed unauthenticated if OpenProject is configured not to require authentication for API access."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20190510 SEC Consult SA-20190510-0 :: Unauthenticated SQL Injection vulnerability in OpenProject",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2019/May/7"
},
{
"name": "20190510 SEC Consult SA-20190510-0 :: Unauthenticated SQL Injection vulnerability in OpenProject",
"refsource": "BUGTRAQ",
"url": "https://seclists.org/bugtraq/2019/May/22"
},
{
"name": "http://packetstormsecurity.com/files/152806/OpenProject-8.3.1-SQL-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/152806/OpenProject-8.3.1-SQL-Injection.html"
},
{
"name": "https://www.openproject.org/release-notes/openproject-8-3-2/",
"refsource": "CONFIRM",
"url": "https://www.openproject.org/release-notes/openproject-8-3-2/"
},
{
"name": "https://groups.google.com/forum/#!msg/openproject-security/XlucAJMxmzM/hESpOaFVAwAJ",
"refsource": "MISC",
"url": "https://groups.google.com/forum/#!msg/openproject-security/XlucAJMxmzM/hESpOaFVAwAJ"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-11600",
"datePublished": "2019-05-13T19:57:47",
"dateReserved": "2019-04-30T00:00:00",
"dateUpdated": "2024-08-04T22:55:41.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-11667 (GCVE-0-2017-11667)
Vulnerability from nvd – Published: 2017-07-26 20:00 – Updated: 2024-09-16 18:18
VLAI?
Summary
OpenProject before 6.1.6 and 7.x before 7.0.3 mishandles session expiry, which allows remote attackers to perform APIv3 requests indefinitely by leveraging a hijacked session.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T18:12:40.599Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.openproject.org/openproject-6-1-6-released-security-fix/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.openproject.org/openproject-7-0-3-released/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/opf/openproject/commit/0fdd7578909d2ec50abc275fc4962e99566437ee"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenProject before 6.1.6 and 7.x before 7.0.3 mishandles session expiry, which allows remote attackers to perform APIv3 requests indefinitely by leveraging a hijacked session."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-26T20:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.openproject.org/openproject-6-1-6-released-security-fix/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.openproject.org/openproject-7-0-3-released/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opf/openproject/commit/0fdd7578909d2ec50abc275fc4962e99566437ee"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-11667",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OpenProject before 6.1.6 and 7.x before 7.0.3 mishandles session expiry, which allows remote attackers to perform APIv3 requests indefinitely by leveraging a hijacked session."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.openproject.org/openproject-6-1-6-released-security-fix/",
"refsource": "CONFIRM",
"url": "https://www.openproject.org/openproject-6-1-6-released-security-fix/"
},
{
"name": "https://www.openproject.org/openproject-7-0-3-released/",
"refsource": "CONFIRM",
"url": "https://www.openproject.org/openproject-7-0-3-released/"
},
{
"name": "https://github.com/opf/openproject/commit/0fdd7578909d2ec50abc275fc4962e99566437ee",
"refsource": "CONFIRM",
"url": "https://github.com/opf/openproject/commit/0fdd7578909d2ec50abc275fc4962e99566437ee"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-11667",
"datePublished": "2017-07-26T20:00:00Z",
"dateReserved": "2017-07-26T00:00:00Z",
"dateUpdated": "2024-09-16T18:18:09.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}