CVE-2024-35224 (GCVE-0-2024-35224)

Vulnerability from cvelistv5 – Published: 2024-05-23 12:53 – Updated: 2024-08-02 03:07
VLAI?
Title
Stored Cross-Site Scripting (XSS) in OpenProject
Summary
OpenProject is the leading open source project management software. OpenProject utilizes `tablesorter` inside of the Cost Report feature. This dependency, when misconfigured, can lead to Stored XSS via `{icon}` substitution in table header values. This attack requires the permissions "Edit work packages" as well as "Add attachments". A project admin could attempt to escalate their privileges by sending this XSS to a System Admin. Otherwise, if a full System Admin is required, then this attack is significantly less impactful. By utilizing a ticket's attachment, you can store javascript in the application itself and bypass the application's CSP policy to achieve Stored XSS. This vulnerability has been patched in version(s) 14.1.0, 14.0.2 and 13.4.2.
Severity ?
7.6 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
CWE
  • CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Assigner
References
Impacted products
Vendor Product Version
opf openproject Affected: >= 13.4.0, < 13.4.2
Affected: < 14.1.0
Affected: >= 14.0.0, < 14.0.2
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-35224",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-23T16:39:22.186123Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:33:30.104Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T03:07:46.774Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/opf/openproject/security/advisories/GHSA-h26c-j8wg-frjc",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/opf/openproject/security/advisories/GHSA-h26c-j8wg-frjc"
          },
          {
            "name": "https://community.openproject.org/projects/openproject/work_packages/55198/relations",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://community.openproject.org/projects/openproject/work_packages/55198/relations"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "openproject",
          "vendor": "opf",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 13.4.0, \u003c 13.4.2"
            },
            {
              "status": "affected",
              "version": "\u003c 14.1.0"
            },
            {
              "status": "affected",
              "version": "\u003e= 14.0.0, \u003c 14.0.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenProject is the leading open source project management software. OpenProject utilizes `tablesorter` inside of the Cost Report feature. This dependency, when misconfigured, can lead to Stored XSS via `{icon}` substitution in table header values. This attack requires the permissions \"Edit work packages\" as well as \"Add attachments\". A project admin could attempt to escalate their privileges by sending this XSS to a System Admin. Otherwise, if a full System Admin is required, then this attack is significantly less impactful. By utilizing a ticket\u0027s attachment, you can store javascript in the application itself and bypass the application\u0027s CSP policy to achieve Stored XSS. This vulnerability has been patched in version(s) 14.1.0, 14.0.2 and 13.4.2.\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-80",
              "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-23T12:53:04.336Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/opf/openproject/security/advisories/GHSA-h26c-j8wg-frjc",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/opf/openproject/security/advisories/GHSA-h26c-j8wg-frjc"
        },
        {
          "name": "https://community.openproject.org/projects/openproject/work_packages/55198/relations",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://community.openproject.org/projects/openproject/work_packages/55198/relations"
        }
      ],
      "source": {
        "advisory": "GHSA-h26c-j8wg-frjc",
        "discovery": "UNKNOWN"
      },
      "title": "Stored Cross-Site Scripting (XSS) in OpenProject"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-35224",
    "datePublished": "2024-05-23T12:53:04.336Z",
    "dateReserved": "2024-05-14T15:39:41.784Z",
    "dateUpdated": "2024-08-02T03:07:46.774Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"OpenProject is the leading open source project management software. OpenProject utilizes `tablesorter` inside of the Cost Report feature. This dependency, when misconfigured, can lead to Stored XSS via `{icon}` substitution in table header values. This attack requires the permissions \\\"Edit work packages\\\" as well as \\\"Add attachments\\\". A project admin could attempt to escalate their privileges by sending this XSS to a System Admin. Otherwise, if a full System Admin is required, then this attack is significantly less impactful. By utilizing a ticket\u0027s attachment, you can store javascript in the application itself and bypass the application\u0027s CSP policy to achieve Stored XSS. This vulnerability has been patched in version(s) 14.1.0, 14.0.2 and 13.4.2.\\n\"}, {\"lang\": \"es\", \"value\": \"OpenProject es el software l\\u00edder de gesti\\u00f3n de proyectos de c\\u00f3digo abierto. OpenProject utiliza \\\"tablesorter\\\" dentro de la funci\\u00f3n Informe de costos. Esta dependencia, cuando est\\u00e1 mal configurada, puede provocar que se almacene XSS mediante la sustituci\\u00f3n de `{icon}` en los valores del encabezado de la tabla. Este ataque requiere los permisos \\\"Editar paquetes de trabajo\\\", as\\u00ed como \\\"Agregar archivos adjuntos\\\". Un administrador de proyecto podr\\u00eda intentar aumentar sus privilegios enviando este XSS a un administrador del sistema. De lo contrario, si se requiere un administrador del sistema completo, este ataque tendr\\u00e1 un impacto significativamente menor. Al utilizar el archivo adjunto de un ticket, puede almacenar javascript en la propia aplicaci\\u00f3n y omitir la pol\\u00edtica CSP de la aplicaci\\u00f3n para lograr Stored XSS. Esta vulnerabilidad ha sido parcheada en las versiones 14.1.0, 14.0.2 y 13.4.2.\"}]",
      "id": "CVE-2024-35224",
      "lastModified": "2024-11-21T09:19:58.373",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N\", \"baseScore\": 7.6, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.3, \"impactScore\": 4.7}]}",
      "published": "2024-05-23T13:15:09.380",
      "references": "[{\"url\": \"https://community.openproject.org/projects/openproject/work_packages/55198/relations\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/opf/openproject/security/advisories/GHSA-h26c-j8wg-frjc\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://community.openproject.org/projects/openproject/work_packages/55198/relations\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/opf/openproject/security/advisories/GHSA-h26c-j8wg-frjc\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-80\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-35224\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-05-23T13:15:09.380\",\"lastModified\":\"2024-11-21T09:19:58.373\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OpenProject is the leading open source project management software. OpenProject utilizes `tablesorter` inside of the Cost Report feature. This dependency, when misconfigured, can lead to Stored XSS via `{icon}` substitution in table header values. This attack requires the permissions \\\"Edit work packages\\\" as well as \\\"Add attachments\\\". A project admin could attempt to escalate their privileges by sending this XSS to a System Admin. Otherwise, if a full System Admin is required, then this attack is significantly less impactful. By utilizing a ticket\u0027s attachment, you can store javascript in the application itself and bypass the application\u0027s CSP policy to achieve Stored XSS. This vulnerability has been patched in version(s) 14.1.0, 14.0.2 and 13.4.2.\\n\"},{\"lang\":\"es\",\"value\":\"OpenProject es el software l\u00edder de gesti\u00f3n de proyectos de c\u00f3digo abierto. OpenProject utiliza \\\"tablesorter\\\" dentro de la funci\u00f3n Informe de costos. Esta dependencia, cuando est\u00e1 mal configurada, puede provocar que se almacene XSS mediante la sustituci\u00f3n de `{icon}` en los valores del encabezado de la tabla. Este ataque requiere los permisos \\\"Editar paquetes de trabajo\\\", as\u00ed como \\\"Agregar archivos adjuntos\\\". Un administrador de proyecto podr\u00eda intentar aumentar sus privilegios enviando este XSS a un administrador del sistema. De lo contrario, si se requiere un administrador del sistema completo, este ataque tendr\u00e1 un impacto significativamente menor. Al utilizar el archivo adjunto de un ticket, puede almacenar javascript en la propia aplicaci\u00f3n y omitir la pol\u00edtica CSP de la aplicaci\u00f3n para lograr Stored XSS. Esta vulnerabilidad ha sido parcheada en las versiones 14.1.0, 14.0.2 y 13.4.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N\",\"baseScore\":7.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":4.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-80\"}]}],\"references\":[{\"url\":\"https://community.openproject.org/projects/openproject/work_packages/55198/relations\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/opf/openproject/security/advisories/GHSA-h26c-j8wg-frjc\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://community.openproject.org/projects/openproject/work_packages/55198/relations\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/opf/openproject/security/advisories/GHSA-h26c-j8wg-frjc\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Stored Cross-Site Scripting (XSS) in OpenProject\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-80\", \"lang\": \"en\", \"description\": \"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"NONE\", \"baseScore\": 7.6, \"baseSeverity\": \"HIGH\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"scope\": \"CHANGED\", \"userInteraction\": \"REQUIRED\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/opf/openproject/security/advisories/GHSA-h26c-j8wg-frjc\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/opf/openproject/security/advisories/GHSA-h26c-j8wg-frjc\"}, {\"name\": \"https://community.openproject.org/projects/openproject/work_packages/55198/relations\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://community.openproject.org/projects/openproject/work_packages/55198/relations\"}], \"affected\": [{\"vendor\": \"opf\", \"product\": \"openproject\", \"versions\": [{\"version\": \"\u003e= 13.4.0, \u003c 13.4.2\", \"status\": \"affected\"}, {\"version\": \"\u003c 14.1.0\", \"status\": \"affected\"}, {\"version\": \"\u003e= 14.0.0, \u003c 14.0.2\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-05-23T12:53:04.336Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"OpenProject is the leading open source project management software. OpenProject utilizes `tablesorter` inside of the Cost Report feature. This dependency, when misconfigured, can lead to Stored XSS via `{icon}` substitution in table header values. This attack requires the permissions \\\"Edit work packages\\\" as well as \\\"Add attachments\\\". A project admin could attempt to escalate their privileges by sending this XSS to a System Admin. Otherwise, if a full System Admin is required, then this attack is significantly less impactful. By utilizing a ticket\u0027s attachment, you can store javascript in the application itself and bypass the application\u0027s CSP policy to achieve Stored XSS. This vulnerability has been patched in version(s) 14.1.0, 14.0.2 and 13.4.2.\\n\"}], \"source\": {\"advisory\": \"GHSA-h26c-j8wg-frjc\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-35224\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-05-23T16:39:22.186123Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-23T16:39:43.539Z\"}, \"title\": \"CISA ADP Vulnrichment\"}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-35224\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2024-05-14T15:39:41.784Z\", \"datePublished\": \"2024-05-23T12:53:04.336Z\", \"dateUpdated\": \"2024-06-04T17:33:30.104Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.