342 matches found
CVE-2017-11667
OpenProject before 6.1.6 and 7.x before 7.0.3 mishandles session expiry, which allows remote attackers to perform APIv3 requests indefinitely by leveraging a hijacked session...
CVE-2025-24892
OpenProject is open-source, web-based project management software. In versions prior to 15.2.1, the application fails to properly sanitize user input before displaying it in the Group Management section. Groups created with HTML script tags are not properly escaped before rendering them in a...
CVE-2025-24892
OpenProject is open-source, web-based project management software. In versions prior to 15.2.1, the application fails to properly sanitize user input before displaying it in the Group Management section. Groups created with HTML script tags are not properly escaped before rendering them in a...
CVE-2025-24892 OpenProject stored HTML injection vulnerability
OpenProject is open-source, web-based project management software. In versions prior to 15.2.1, the application fails to properly sanitize user input before displaying it in the Group Management section. Groups created with HTML script tags are not properly escaped before rendering them in a...
CVE-2025-24892
CVE-2025-24892 affects OpenProject prior to 15.2.1, where the Group Management UI fails to sanitize user input, allowing HTML/script content in groups to be rendered in a project (stored HTML injection). The issue is resolved in OpenProject 15.2.1. If upgrading isn’t possible, a patch is availabl...
CVE-2025-24892 OpenProject stored HTML injection vulnerability
OpenProject is open-source, web-based project management software. In versions prior to 15.2.1, the application fails to properly sanitize user input before displaying it in the Group Management section. Groups created with HTML script tags are not properly escaped before rendering them in a...
CVE-2025-24892 OpenProject stored HTML injection vulnerability
OpenProject is open-source, web-based project management software. In versions prior to 15.2.1, the application fails to properly sanitize user input before displaying it in the Group Management section. Groups created with HTML script tags are not properly escaped before rendering them in a...
OpenProject 跨站脚本漏洞
OpenProject is a web-based project management software from OpenProject Open Source. A cross-site scripting vulnerability exists in versions of OpenProject prior to 15.2.1, which stems from a failure to properly clean up user input in the group management section and could lead to a cross-site...
PT-2025-6068 · Unknown · Openproject
Name of the Vulnerable Software and Affected Versions: OpenProject versions prior to 15.2.1 Description: The issue arises from the application's failure to properly sanitize user input before displaying it in the Group Management section. Specifically, groups created with HTML script tags are not...
CVE-2024-35224
OpenProject is the leading open source project management software. OpenProject utilizes tablesorter inside of the Cost Report feature. This dependency, when misconfigured, can lead to Stored XSS via icon substitution in table header values. This attack requires the permissions "Edit work package...
CVE-2024-41801
OpenProject is open source project management software. Prior to version 14.3.0, using a forged HOST header in the default configuration of packaged installations and using the "Login required" setting, an attacker could redirect to a remote host to initiate a phishing attack against an OpenProje...
CVE-2024-41801 OpenProject packaged installation has Open Redirect Vulnerability in Sign-In in default configuration
OpenProject is open source project management software. Prior to version 14.3.0, using a forged HOST header in the default configuration of packaged installations and using the "Login required" setting, an attacker could redirect to a remote host to initiate a phishing attack against an OpenProje...
CVE-2024-41801
OpenProject prior to 14.3.0 is affected by an open redirect/phishing vulnerability caused by accepting forged HOST headers in default packaged installations with the Login required setting. The issue could allow redirection to a remote host when HOST/X-Forwarded-Host headers are not correctly fix...
CVE-2024-41801 OpenProject packaged installation has Open Redirect Vulnerability in Sign-In in default configuration
OpenProject is open source project management software. Prior to version 14.3.0, using a forged HOST header in the default configuration of packaged installations and using the "Login required" setting, an attacker could redirect to a remote host to initiate a phishing attack against an OpenProje...
CVE-2024-41801 OpenProject packaged installation has Open Redirect Vulnerability in Sign-In in default configuration
OpenProject is open source project management software. Prior to version 14.3.0, using a forged HOST header in the default configuration of packaged installations and using the "Login required" setting, an attacker could redirect to a remote host to initiate a phishing attack against an OpenProje...
PT-2024-29568 · Unknown +1 · Openproject +1
Name of the Vulnerable Software and Affected Versions: OpenProject versions prior to 14.3.0 Description: The issue allows an attacker to redirect to a remote host to initiate a phishing attack against an OpenProject user's account by using a forged HOST header in the default configuration of...
OpenProject 安全漏洞
OpenProject is a web-based project management software from OpenProject Open Source. A security vulnerability exists in OpenProject versions prior to 14.3.0. An attacker can exploit this vulnerability to launch a phishing attack against a user account by using a spoofed HOST header in the default...
CVE-2024-35224
OpenProject is the leading open source project management software. OpenProject utilizes tablesorter inside of the Cost Report feature. This dependency, when misconfigured, can lead to Stored XSS via icon substitution in table header values. This attack requires the permissions "Edit work package...
CVE-2024-35224
OpenProject contains a Stored XSS in the Cost Report feature caused by misconfigured tablesorter. The vulnerability allows an attacker with Edit work packages and Add attachments permissions to store JavaScript via a ticket attachment, bypassing CSP and potentially escalating privileges to a Syst...
CVE-2024-35224 Stored Cross-Site Scripting (XSS) in OpenProject
OpenProject is the leading open source project management software. OpenProject utilizes tablesorter inside of the Cost Report feature. This dependency, when misconfigured, can lead to Stored XSS via icon substitution in table header values. This attack requires the permissions "Edit work package...