OpenProject before 6.1.6 and 7.x before 7.0.3 mishandles session expiry, which allows remote attackers to perform APIv3 requests indefinitely by leveraging a hijacked session.
CPE | Name | Operator | Version |
---|---|---|---|
openproject | eq | 7.0.1 | |
openproject | eq | 7.0.2 | |
openproject | le | 6.1.5 | |
openproject | eq | 7.0.0 |