Summary
OpenProject Cost Report functionality uses improper sanitization of user input. This can lead to Stored XSS via the header values of the report table. This attack requires the permissions "Edit work packages" as well as "Add attachments".
Details
If a user configures a custom field with a malicious payload, then inserts that payload into a ticket, and finally runs a cost report -- a Stored XSS is achieved in the application.
By utilizing a ticket's attachment, you can store javascript in the application itself and bypass the application's CSP policy to achieve Stored XSS.
Impact
If a Project Admin can pull this attack off, then a Project Admin could attempt to escalate their privileges by sending this XSS to a System Admin.
Releases
OpenProject versions 14.1.0, 14.0.2, 13.4.2 are all containing a bugfix for the security vulnerability.
Patches
To aid users who aren't able to upgrade immediately we have provided a patch for all affected versions. You can download the patch here.
Credits
Thanks for finding and disclosing the vulnerability responsibly go to Sean Marpo. Thank you for reaching out to us and helping in identifying this issue. If you have a security vulnerability you would like to disclose, please see our statement on security.
seanmarpo Reporter
Summary
OpenProject Cost Report functionality uses improper sanitization of user input. This can lead to Stored XSS via the header values of the report table. This attack requires the permissions "Edit work packages" as well as "Add attachments".
Details
If a user configures a custom field with a malicious payload, then inserts that payload into a ticket, and finally runs a cost report -- a Stored XSS is achieved in the application.
By utilizing a ticket's attachment, you can store javascript in the application itself and bypass the application's CSP policy to achieve Stored XSS.
Impact
If a Project Admin can pull this attack off, then a Project Admin could attempt to escalate their privileges by sending this XSS to a System Admin.
Releases
OpenProject versions 14.1.0, 14.0.2, 13.4.2 are all containing a bugfix for the security vulnerability.
Patches
To aid users who aren't able to upgrade immediately we have provided a patch for all affected versions. You can download the patch here.
Credits
Thanks for finding and disclosing the vulnerability responsibly go to Sean Marpo. Thank you for reaching out to us and helping in identifying this issue. If you have a security vulnerability you would like to disclose, please see our statement on security.