CVE-2025-24892

LOW

OpenProject < 15.2.1 - Stored Cross-Site Scripting in Group Management Section

Title source: llm
STIX 2.1

Description

OpenProject is open-source, web-based project management software. In versions prior to 15.2.1, the application fails to properly sanitize user input before displaying it in the Group Management section. Groups created with HTML script tags are not properly escaped before rendering them in a project. The issue has been resolved in OpenProject version 15.2.1. Those who are unable to upgrade may apply the patch manually.

Scores

CVSS v3 3.5
EPSS 0.0028
EPSS Percentile 20.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
openproject/openproject < 15.2.1
Published Feb 10, 2025
Tracked Since Feb 18, 2026