Impact
OpenProject versions >= 16.3.0, < 16.6.5 is affected by a stored XSS vulnerability in the Roadmap view. OpenProject’s roadmap view renders the “Related work packages” list for each version. When a version contains work packages from a different project (e.g., a subproject), the helper link_to_work_package prepends package.project.to_s to the link and returns the entire string with .html_safe. Because project names are user-controlled and no escaping happens before calling html_safe, any HTML placed in a subproject name is injected verbatim into the page.
Patches
The underlying issue is mitigated by setting a X-Content-Type-Options: nosniff header, which was in place until a refactoring move to Rails standard content-security policy, which did not properly apply this header in the new configuration since OpenProject 16.3.0.
Workarounds
If you cannot upgrade your installation, ensure that you add a X-Content-Type-Options: nosniff header in your proxying web application server.
Credits
This vulnerability was reported by users sam91281 as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.
Impact
OpenProject versions >= 16.3.0, < 16.6.5 is affected by a stored XSS vulnerability in the Roadmap view. OpenProject’s roadmap view renders the “Related work packages” list for each version. When a version contains work packages from a different project (e.g., a subproject), the helper link_to_work_package prepends package.project.to_s to the link and returns the entire string with .html_safe. Because project names are user-controlled and no escaping happens before calling html_safe, any HTML placed in a subproject name is injected verbatim into the page.
Patches
The underlying issue is mitigated by setting a
X-Content-Type-Options: nosniffheader, which was in place until a refactoring move to Rails standard content-security policy, which did not properly apply this header in the new configuration since OpenProject 16.3.0.Workarounds
If you cannot upgrade your installation, ensure that you add a X-Content-Type-Options: nosniff header in your proxying web application server.
Credits
This vulnerability was reported by users
sam91281as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.