CVE-2024-35224

OpenProject is the leading open source project management software. OpenProject utilizes `tablesorter` inside of the Cost Report feature. This dependency, when misconfigured, can lead to Stored XSS via `{icon}` substitution in table header values. This attack requires the permissions "Edit work packages" as well as "Add attachments". A project admin could attempt to escalate their privileges by sending this XSS to a System Admin. Otherwise, if a full System Admin is required, then this attack is significantly less impactful. By utilizing a ticket's attachment, you can store javascript in the application itself and bypass the application's CSP policy to achieve Stored XSS. This vulnerability has been patched in version(s) 14.1.0, 14.0.2 and 13.4.2.

CVSS v3 7.6 HIGH

7.6^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://community.openproject.org/projects/openproject/work_packages/55198/relations
https://github.com/opf/openproject/security/advisories/GHSA-h26c-j8wg-frjc
https://community.openproject.org/projects/openproject/work_packages/55198/relations
https://github.com/opf/openproject/security/advisories/GHSA-h26c-j8wg-frjc

Configurations

No configuration.

History

21 Nov 2024, 09:19

Type	Values Removed	Values Added
Summary		(es) OpenProject es el software líder de gestión de proyectos de código abierto. OpenProject utiliza "tablesorter" dentro de la función Informe de costos. Esta dependencia, cuando está mal configurada, puede provocar que se almacene XSS mediante la sustitución de `{icon}` en los valores del encabezado de la tabla. Este ataque requiere los permisos "Editar paquetes de trabajo", así como "Agregar archivos adjuntos". Un administrador de proyecto podría intentar aumentar sus privilegios enviando este XSS a un administrador del sistema. De lo contrario, si se requiere un administrador del sistema completo, este ataque tendrá un impacto significativamente menor. Al utilizar el archivo adjunto de un ticket, puede almacenar javascript en la propia aplicación y omitir la política CSP de la aplicación para lograr Stored XSS. Esta vulnerabilidad ha sido parcheada en las versiones 14.1.0, 14.0.2 y 13.4.2.
References	~~() https://community.openproject.org/projects/openproject/work_packages/55198/relations -~~	() https://community.openproject.org/projects/openproject/work_packages/55198/relations -
References	~~() https://github.com/opf/openproject/security/advisories/GHSA-h26c-j8wg-frjc -~~	() https://github.com/opf/openproject/security/advisories/GHSA-h26c-j8wg-frjc -

23 May 2024, 13:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-05-23 13:15

Updated : 2024-11-21 09:19

NVD link : CVE-2024-35224

Mitre link : CVE-2024-35224

CVE.ORG link : CVE-2024-35224

JSON object : View

Products Affected

No product.

CWE

CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

7.6 /10