CVE-2024-35224
OpenProject contains a Stored XSS in the Cost Report feature caused by misconfigured tablesorter. The vulnerability allows an attacker with Edit work packages and Add attachments permissions to store JavaScript via a ticket attachment, bypassing CSP and potentially escalating privileges to a Syst...