Nguyen Truong Son

**Name of the Vulnerable Software and Affected Versions** OpenProject versions prior to 16.6.7 OpenProject versions prior to 17.0.3 **Description** OpenProject is a web-based project management software. A flaw exists in the repository changes endpoint ('/projects/:project id/repository/changes') when rendering the “latest changes” view using git log. An attacker can inject git log command-line options by providing a crafted `rev` value, such as `rev=--output=/tmp/poc.txt`. This allows the attacker to write to an attacker-chosen path when OpenProject executes the SCM command. Users with the `:browse repository` permission on the project can create or overwrite arbitrary files that the OpenProject process user is permitted to write. The attacker can upload valid shell scripts through crafted commits, potentially leading to remote code execution (RCE). This RCE could allow an attacker to create a reverse shell and access confidential files. **Recommendations** OpenProject versions prior to 16.6.7 should be updated to version 16.6.7 or later. OpenProject versions prior to 17.0.3 should be updated to version 17.0.3 or later.