📦 Openproject

OpenProject versions before 16.6.7 and 17.0.3 contain an arbitrary file write vulnerability that can lead to remote code execution. Attackers with repository browsing permissions can inject git log op...

OpenProject's synchronization server improperly validates backend URLs, allowing attackers to decrypt intercepted authentication tokens and gain unauthorized access to user accounts. This affects Open...

OpenProject versions before 16.6.6 and 17.0.2 have a command injection vulnerability that allows authenticated users with repository browsing permissions to write arbitrary files. Attackers can inject...

OpenProject versions 16.3.0 through 16.6.4 have a stored cross-site scripting vulnerability in the Roadmap view that allows attackers to inject malicious HTML/JavaScript via subproject names. This aff...

This vulnerability allows stored cross-site scripting (XSS) in OpenProject's Cost Report feature via misconfigured tablesorter dependency. Attackers with 'Edit work packages' and 'Add attachments' per...

OpenProject's robots.txt file publicly exposes project identifiers even when the entire instance is configured to require login. This information disclosure vulnerability affects all OpenProject insta...

OpenProject versions before 17.0.2 contain a missing authorization vulnerability where users with 'Manage Users' permission can lock application administrators, which should be restricted. This allows...

This vulnerability in OpenProject allows authenticated attackers to move meeting agenda items into different meetings they shouldn't have access to, potentially causing confusion by adding arbitrary a...

OpenProject versions 17.0.0-17.0.1 contain a server-side request forgery (SSRF) vulnerability in the collaborative document editor. Attackers can craft documents with malicious work package IDs that t...

OpenProject versions before 16.6.5 and 17.0.1 contain a session management vulnerability where users can delete other users' active sessions. This allows authenticated users to forcibly log out other ...

OpenProject versions before 17.0.1 and 16.6.5 have an information disclosure vulnerability where users with View Members permission in any project can enumerate all groups and see their members. This ...

OpenProject versions before 14.3.0 are vulnerable to host header injection, allowing attackers to forge HOST headers to redirect users to malicious sites for phishing attacks. This affects default pac...

OpenProject versions before 16.6.7 and 17.0.3 contain an HTML injection vulnerability in the time tracking function. An attacker with administrator privileges can inject HTML tags into work package na...