CVE-2024-35224

May 23, 2024, 1:15 p.m.

7.6
High

Description

OpenProject is the leading open source project management software. OpenProject utilizes `tablesorter` inside of the Cost Report feature. This dependency, when misconfigured, can lead to Stored XSS via `{icon}` substitution in table header values. This attack requires the permissions "Edit work packages" as well as "Add attachments". A project admin could attempt to escalate their privileges by sending this XSS to a System Admin. Otherwise, if a full System Admin is required, then this attack is significantly less impactful. By utilizing a ticket's attachment, you can store javascript in the application itself and bypass the application's CSP policy to achieve Stored XSS. This vulnerability has been patched in version(s) 14.1.0, 14.0.2 and 13.4.2.

Product(s) Impacted

Product Versions
OpenProject
  • ['14.1.0', '14.0.2', '13.4.2']

Weaknesses

Common security weaknesses mapped to this vulnerability.

References

https://community.openproject.org/projects/openproject/work_packages/55198/relations
https://github.com/opf/openproject/security/advisories/GHSA-h26c-j8wg-frjc

Tags

security-advisories@github.com
CWE-80
2024-05-23
CVE-2024-35224

CVSS Score

7.6 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: CHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: LOW
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

    View Vector String

Timeline

Published: May 23, 2024, 1:15 p.m.
Last Modified: May 23, 2024, 1:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.