Stored XSS in Cost Report feature via {icon} substitution
CVE-2024-35224

7.6HIGH

Key Information:

Vendor: Opf
Status: Openproject
Vendor: CVE Published:; 23 May 2024

What is CVE-2024-35224?

The OpenProject project management software is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability caused by a misconfigured tablesorter dependency within its Cost Report feature. This vulnerability allows an attacker with permissions to 'Edit work packages' and 'Add attachments' to execute JavaScript code within the application. By exploiting this weakness, attackers could potentially escalate their privileges, targeting system administrators with malicious payloads delivered via attachments. However, a system administrator is required for a successful exploitation, which limits the attack's overall impact. Versions 14.1.0, 14.0.2, and 13.4.2 have been patched to resolve this vulnerability.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

openproject >= 13.4.0, < 13.4.2 < 13.4.0, 13.4.2

openproject < 14.1.0 < 14.1.0

openproject >= 14.0.0, < 14.0.2 < 14.0.0, 14.0.2

References

https://github.com/opf/openproject/security/advisories/GH...

x_refsource_CONFIRM

https://community.openproject.org/projects/openproject/wo...

x_refsource_MISC

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
May 23, 2024
Vulnerability Reserved
May 14, 2024

JSON

Opf