CVE-2024-35224
📋 TL;DR
This vulnerability allows stored cross-site scripting (XSS) in OpenProject's Cost Report feature via misconfigured tablesorter dependency. Attackers with 'Edit work packages' and 'Add attachments' permissions can inject malicious JavaScript that bypasses CSP through ticket attachments. Project administrators could potentially escalate privileges by targeting system administrators.
💻 Affected Systems
- OpenProject
📦 What is this software?
Openproject by Openproject
Openproject by Openproject
Openproject by Openproject
⚠️ Risk & Real-World Impact
Worst Case
A project admin could escalate to system admin privileges, gaining full control over the OpenProject instance and potentially accessing sensitive project data or deploying further attacks.
Likely Case
Authenticated users with specific permissions could execute arbitrary JavaScript in victims' browsers, potentially stealing session cookies, performing actions as the victim, or accessing sensitive project information.
If Mitigated
With proper access controls limiting 'Edit work packages' and 'Add attachments' permissions to trusted users only, the attack surface is significantly reduced.
🎯 Exploit Status
Exploitation requires authenticated access with specific permissions. The vulnerability is well-documented in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.1.0, 14.0.2, or 13.4.2
Vendor Advisory: https://github.com/opf/openproject/security/advisories/GHSA-h26c-j8wg-frjc
Restart Required: Yes
Instructions:
1. Backup your OpenProject instance and database. 2. Update to version 14.1.0, 14.0.2, or 13.4.2 using your package manager or deployment method. 3. Restart the OpenProject service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict permissions
allTemporarily remove 'Edit work packages' and 'Add attachments' permissions from non-essential users until patching is complete.
Disable Cost Report feature
allTemporarily disable the Cost Report feature if not essential for operations.
🧯 If You Can't Patch
- Implement strict access controls to limit 'Edit work packages' and 'Add attachments' permissions to only essential, trusted users.
- Deploy a web application firewall (WAF) with XSS protection rules to detect and block exploitation attempts.
🔍 How to Verify
Check if Vulnerable:
Check your OpenProject version. If it's earlier than 14.1.0, 14.0.2, or 13.4.2, you are vulnerable.Check Version:
For Docker: docker exec openproject bundle exec rails runner 'puts OpenProject::VERSION.to_s'; For package install: openproject run bundle exec rails runner 'puts OpenProject::VERSION.to_s'Verify Fix Applied:
After updating, verify the version is 14.1.0, 14.0.2, 13.4.2 or later, and test that the Cost Report feature functions without errors.📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript payloads in attachment uploads
- Multiple failed attempts to access Cost Report features
- Suspicious activity from users with 'Edit work packages' permissions
Network Indicators:
- Unusual outbound connections from OpenProject server following Cost Report access
- Suspicious JavaScript payloads in HTTP requests to Cost Report endpoints
SIEM Query:
source="openproject" AND ("Cost Report" OR "tablesorter" OR "{icon}") AND (javascript OR script OR alert OR document.cookie)🔗 References
- https://community.openproject.org/projects/openproject/work_packages/55198/relations
- https://github.com/opf/openproject/security/advisories/GHSA-h26c-j8wg-frjc
- https://community.openproject.org/projects/openproject/work_packages/55198/relations
- https://github.com/opf/openproject/security/advisories/GHSA-h26c-j8wg-frjc
