CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41801 – OpenProject packaged installation has Open Redirect Vulnerability in Sign-In in default configuration
https://notcve.org/view.php?id=CVE-2024-41801
OpenProject is open source project management software. Prior to version 14.3.0, using a forged HOST header in the default configuration of packaged installations and using the "Login required" setting, an attacker could redirect to a remote host to initiate a phishing attack against an OpenProject user's account. This vulnerability affects default packaged installation of OpenProject without any additional configuration or modules on Apache (such as mod_security, manually setting a host name, having a fallthrough VirtualHost). It might also affect other installations that did not take care to fix the HOST/X-Forwarded-Host headers. Version 14.3.0 includes stronger protections for the hostname from within the application using the HostAuthorization middleware of Rails to reject any requests with a host name that does not match the configured one. • https://github.com/opf/openproject/security/advisories/GHSA-g92v-vrq6-4fpw https://github.com/user-attachments/files/16371759/host-protection.patch https://www.openproject.org/docs/release-notes/14-3-0 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 7.6EPSS: 0%CPEs: 3EXPL: 0CVE-2024-35224 – Stored Cross-Site Scripting (XSS) in OpenProject
https://notcve.org/view.php?id=CVE-2024-35224
OpenProject is the leading open source project management software. OpenProject utilizes `tablesorter` inside of the Cost Report feature. This dependency, when misconfigured, can lead to Stored XSS via `{icon}` substitution in table header values. This attack requires the permissions "Edit work packages" as well as "Add attachments". A project admin could attempt to escalate their privileges by sending this XSS to a System Admin. • https://community.openproject.org/projects/openproject/work_packages/55198/relations https://github.com/opf/openproject/security/advisories/GHSA-h26c-j8wg-frjc • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33960 – OpenProject vulnerable to project identifier information leakage through robots.txt
https://notcve.org/view.php?id=CVE-2023-33960
OpenProject is web-based project management software. For any OpenProject installation, a `robots.txt` file is generated through the server to denote which routes shall or shall not be accessed by crawlers. These routes contain project identifiers of all public projects in the instance. Prior to version 12.5.6, even if the entire instance is marked as `Login required` and prevents all truly anonymous access, the `/robots.txt` route remains publicly available. Version 12.5.6 has a fix for this issue. Alternatively, users can download a patchfile to apply the patch to any OpenProject version greater than 10.0 As a workaround, one may mark any public project as non-public and give anyone in need of access to the project a membership. • https://community.openproject.org/wp/48324 https://github.com/opf/openproject/pull/12708 https://github.com/opf/openproject/releases/tag/v12.5.6 https://github.com/opf/openproject/security/advisories/GHSA-xjfc-fqm3-95q8 https://patch-diff.githubusercontent.com/raw/opf/openproject/pull/12708.patch • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-31140 – OpenProject user sessions not terminated after activation of 2FA
https://notcve.org/view.php?id=CVE-2023-31140
OpenProject is open source project management software. Starting with version 7.4.0 and prior to version 12.5.4, when a user registers and confirms their first two-factor authentication (2FA) device for an account, existing logged in sessions for that user account are not terminated. Likewise, if an administrators creates a mobile phone 2FA device on behalf of a user, their existing sessions are not terminated. The issue has been resolved in OpenProject version 12.5.4 by actively terminating sessions of user accounts having registered and confirmed a 2FA device. As a workaround, users who register the first 2FA device on their account can manually log out to terminate all other active sessions. • https://community.openproject.org/wp/48035 https://github.com/opf/openproject/pull/12508 https://github.com/opf/openproject/security/advisories/GHSA-xfp9-qqfj-x28q https://www.openproject.org/docs/release-notes/12-5-4 • CWE-613: Insufficient Session Expiration •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-43830 – SQL injection in OpenProject
https://notcve.org/view.php?id=CVE-2021-43830
OpenProject is a web-based project management software. OpenProject versions >= 12.0.0 are vulnerable to a SQL injection in the budgets module. For authenticated users with the "Edit budgets" permission, the request to reassign work packages to another budget unsufficiently sanitizes user input in the `reassign_to_id` parameter. The vulnerability has been fixed in version 12.0.4. Versions prior to 12.0.0 are not affected. • https://github.com/opf/openproject/pull/9983 https://github.com/opf/openproject/pull/9983.patch https://github.com/opf/openproject/releases/tag/v12.0.4 https://github.com/opf/openproject/security/advisories/GHSA-f565-3whr-6m96 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •