You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
oliverguenther
published
GHSA-mg4q-ghvh-cm2jFeb 10, 2025
Package
OpenProject
Affected versions
<= 15.2.0
Patched versions
15.2.1
Description
Impact
For OpenProject versions <= 15.2.0, the application fails to properly sanitize user input before displaying it in the Group Management section. Groups created with HTML script tags are not properly escaped before rendering them in a project.
This security issue was responsibly disclosed by Kanitin Pholngam. Thank you for reaching out to us and your help in identifying this issue. If you have a security vulnerability you would like to disclose, please see our statement on security.
meanknt Reporter
Impact
For OpenProject versions <= 15.2.0, the application fails to properly sanitize user input before displaying it in the Group Management section. Groups created with HTML script tags are not properly escaped before rendering them in a project.
Patches
The issue has been resolved in OpenProject version 15.2.1. If you are unable to update, you can find a patch file here: https://patch-diff.githubusercontent.com/raw/opf/openproject/pull/17783.patch
References
#17783
https://www.openproject.org/docs/release-notes/12-5-1/
Credits
This security issue was responsibly disclosed by Kanitin Pholngam. Thank you for reaching out to us and your help in identifying this issue. If you have a security vulnerability you would like to disclose, please see our statement on security.