CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32763 – Regular Expression Denial of Service in OpenProject forum messages
https://notcve.org/view.php?id=CVE-2021-32763
OpenProject is open-source, web-based project management software. In versions prior to 11.3.3, the `MessagesController` class of OpenProject has a `quote` method that implements the logic behind the Quote button in the discussion forums, and it uses a regex to strip `<pre>` tags from the message being quoted. The `(.|\s)` part can match a space character in two ways, so an unterminated `<pre>` tag containing `n` spaces causes Ruby's regex engine to backtrack to try 2<sup>n</sup> states in the NFA. This will result in a Regular Expression Denial of Service. • https://github.com/opf/openproject/pull/9447.patch https://github.com/opf/openproject/security/advisories/GHSA-qqvp-j6gm-q56f • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.1EPSS: 23%CPEs: 2EXPL: 0CVE-2019-17092 – OpenProject 10.0.1 / 9.0.3 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2019-17092
An XSS vulnerability in project list in OpenProject before 9.0.4 and 10.x before 10.0.2 allows remote attackers to inject arbitrary web script or HTML via the sortBy parameter because error messages are mishandled. Una vulnerabilidad de tipo XSS en la lista de proyectos en OpenProject versiones anteriores a 9.0.4 y versiones 10.x anteriores a 10.0.2, permite a atacantes remotos inyectar script web o HTML arbitrario por medio del parámetro sortBy porque los mensajes de error son manejados inapropiadamente. OpenProject versions 9.0.3 and below and 10.0.1 and below suffer from multiple cross site scripting vulnerabilities. • http://packetstormsecurity.com/files/154851/OpenProject-10.0.1-9.0.3-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2019/Oct/29 https://groups.google.com/forum/#%21topic/openproject-security/tEsx0UXWxXA https://seclists.org/bugtraq/2019/Oct/19 https://www.openproject.org/release-notes/openproject-10-0-2 https://www.openproject.org/release-notes/openproject-9-0-4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 95%CPEs: 1EXPL: 4CVE-2019-11600 – OpenProject 5.0.0 - 8.3.1 - SQL Injection
https://notcve.org/view.php?id=CVE-2019-11600
A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbitrary SQL commands via the id parameter. The attack can be performed unauthenticated if OpenProject is configured not to require authentication for API access. Una vulnerabilidad de inyección SQL en la API de actividades en OpenProject antes de 8.3.2 permite a un atacante remoto ejecutar comandos SQL arbitrarios a través del parámetro id. El ataque se puede realizar sin autenticar si OpenProject está configurado para no requerir autenticación para el acceso a la API. OpenProject versions 5.0.0 through 8.3.1 suffer from a remote SQL injection vulnerability. • https://www.exploit-db.com/exploits/46838 http://packetstormsecurity.com/files/152806/OpenProject-8.3.1-SQL-Injection.html http://seclists.org/fulldisclosure/2019/May/7 https://groups.google.com/forum/#%21msg/openproject-security/XlucAJMxmzM/hESpOaFVAwAJ https://seclists.org/bugtraq/2019/May/22 https://www.openproject.org/release-notes/openproject-8-3-2 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.1EPSS: 0%CPEs: 4EXPL: 0CVE-2017-11667
https://notcve.org/view.php?id=CVE-2017-11667
OpenProject before 6.1.6 and 7.x before 7.0.3 mishandles session expiry, which allows remote attackers to perform APIv3 requests indefinitely by leveraging a hijacked session. OpenProject anterior a versión 6.1.6 y versión 7.x anterior a 7.0.3, maneja inapropiadamente la expiración de sesión, lo que permite a los atacantes remotos realizar peticiones APIv3 indefinidamente aprovechando una sesión secuestrada. • https://github.com/opf/openproject/commit/0fdd7578909d2ec50abc275fc4962e99566437ee https://www.openproject.org/openproject-6-1-6-released-security-fix https://www.openproject.org/openproject-7-0-3-released • CWE-613: Insufficient Session Expiration •