CVE-2025-24892
LOWOpenProject < 15.2.1 - Stored Cross-Site Scripting in Group Management Section
Title source: llmDescription
OpenProject is open-source, web-based project management software. In versions prior to 15.2.1, the application fails to properly sanitize user input before displaying it in the Group Management section. Groups created with HTML script tags are not properly escaped before rendering them in a project. The issue has been resolved in OpenProject version 15.2.1. Those who are unable to upgrade may apply the patch manually.
References (4)
Core 4
Core References
Patch, Vendor Advisory x_refsource_confirm
https://github.com/opf/openproject/security/advisories/GHSA-mg4q-ghvh-cm2j
Patch x_refsource_misc
https://github.com/opf/openproject/pull/17783
Patch x_refsource_misc
https://patch-diff.githubusercontent.com/raw/opf/openproject/pull/17783.patch
Release Notes x_refsource_misc
https://www.openproject.org/docs/release-notes/12-5-1
Scores
CVSS v3
3.5
EPSS
0.0028
EPSS Percentile
20.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
openproject/openproject
< 15.2.1
Published
Feb 10, 2025
Tracked Since
Feb 18, 2026