OpenProject vulnerable to project identifier information leakage through robots.txt
CVE-2023-33960

7.5HIGH

Key Information:

Vendor

opf

Status
openproject
Vendor
CVE Published:
1 June 2023

What is CVE-2023-33960?

OpenProject, a web-based project management tool, has a security vulnerability where the robots.txt file, which is intended to guide web crawlers about accessible routes, inadvertently exposes identifiers of all public projects in an instance, even when the instance is marked as 'Login required'. This publicly accessible route poses a risk as it may reveal sensitive project information to unauthorized users. Users are advised to upgrade to version 12.5.6, where this issue has been addressed, or apply the provided patch for earlier versions. As a temporary workaround, users can change the status of public projects to non-public while ensuring necessary access through membership.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

openproject < 12.5.6

References

https://github.com/opf/openproject/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/opf/openproject/pull/12708
x_refsource_MISC
https://community.openproject.org/wp/48324
x_refsource_MISC

EPSS Score

23% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.