CVE-2024-35224

HIGH

OpenProject < 13.4.2 - Authenticated Stored Cross-Site Scripting via Cost Report Table Header

Title source: llm

Description

OpenProject is the leading open source project management software. OpenProject utilizes `tablesorter` inside of the Cost Report feature. This dependency, when misconfigured, can lead to Stored XSS via `{icon}` substitution in table header values. This attack requires the permissions "Edit work packages" as well as "Add attachments". A project admin could attempt to escalate their privileges by sending this XSS to a System Admin. Otherwise, if a full System Admin is required, then this attack is significantly less impactful. By utilizing a ticket's attachment, you can store javascript in the application itself and bypass the application's CSP policy to achieve Stored XSS. This vulnerability has been patched in version(s) 14.1.0, 14.0.2 and 13.4.2.

References (2)

Core 2

Core References

Patch, Vendor Advisory x_refsource_confirm

https://github.com/opf/openproject/security/advisories/GHSA-h26c-j8wg-frjc

Issue Tracking x_refsource_misc

https://community.openproject.org/projects/openproject/work_packages/55198/relations

Scores

CVSS v3 7.6

EPSS 0.0033

EPSS Percentile 24.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-80

Status published

Products (2)

openproject/openproject 14.1.0

openproject/openproject < 13.4.2

Published May 23, 2024

Tracked Since Feb 18, 2026