A Stored Cross-Site Scripting (XSS) vulnerability has been discovered in OpenProject, the widely-used open source project management software. This vulnerability exists in the Cost Report feature due to a misconfiguration in the tablesorter dependency. An attacker with permissions to edit work packages and add attachments could exploit this vulnerability to execute malicious scripts through the {icon} substitution in table header values, potentially escalating their privileges. This issue has been resolved in OpenProject version(s) 14.1., 14..2, and 13.4.2.

Vulnerability Details

The vulnerability is present within the OpenProject software's Cost Report feature, which relies on the tablesorter dependency and allows users to sort and filter data in tables. The misconfiguration in tablesorter makes it possible for an attacker with "Edit work packages" and "Add attachments" permissions to achieve Stored XSS by executing malicious JavaScript code through the {icon} substitution in table header values.

Here is a code snippet that demonstrates the vulnerability

// Sample code to exploit the vulnerability
let payload = '<img src=x onerror=javascript:alert(\'XSS\')>'; // XSS payload
payload = payload.replace(/</g, '&lt;'); // Escaping the less-than character
let tableHeader = {icon(${payload})}; // Prepare the payload with {icon} substitution
const tablesorter = new Tablesorter(); // Instantiate the tablesorter object
tablesorter.setHeaderLabel(, tableHeader); // Set the table header label with the payload

For a detailed explanation of how this vulnerability can pose a risk to OpenProject, please refer to the original references:

1. CVE-2024-35224 - OpenProject Advisory
2. OpenProject GitHub Issue
3. OpenProject Release Notes

Impact and Exploitation

While this vulnerability requires the attacker to have specific permissions ("Edit work packages" and "Add attachments") to exploit the Stored XSS attack, it could still pose a significant risk in certain scenarios. For instance, a project admin could attempt to escalate their privileges by sending the XSS payload to a System Admin, which could lead to further security risks and compromises.

Apart from privilege escalation, this vulnerability could also allow the attacker to bypass the security mechanisms like CSP policy and store the malicious JavaScript in the application itself by utilizing a ticket's attachment feature.

OpenProject 13.4.2

To effectively mitigate this vulnerability, it is strongly recommended to upgrade your OpenProject installations to the latest available version. Additionally, ensure you validate and sanitize user input to minimize the risks associated with XSS attacks.

Timeline

Published on: 05/23/2024 13:15:09 UTC
Last modified on: 06/04/2024 17:33:30 UTC