Sam91281

**Name of the Vulnerable Software and Affected Versions** OpenProject versions prior to 16.6.9 OpenProject versions prior to 17.0.6 OpenProject versions prior to 17.1.3 OpenProject versions prior to 17.2.1 **Description** OpenProject is a web-based project management software. The Repositories module did not properly escape filenames, allowing an attacker with push access to a repository to inject HTML code through maliciously crafted filenames in commits. This enables a persisted cross-site scripting (XSS) attack against project members accessing the repositories page when viewing changesets where the crafted file was deleted. **Recommendations** Update OpenProject to version 16.6.9 or later. Update OpenProject to version 17.0.6 or later. Update OpenProject to version 17.1.3 or later. Update OpenProject to version 17.2.1 or later.

**Name of the Vulnerable Software and Affected Versions** OpenProject versions prior to 17.2.0 **Description** OpenProject is a web-based project management software. Before version 17.2.0, an authenticated project member with BCF import permissions could upload a manipulated .bcf archive. The `<Snapshot>` value within the markup.bcf file could be altered to contain an absolute or traversal local path, such as '/etc/passwd' or '../../../../etc/passwd'. During import, this untrusted `<Snapshot>` value is used as `file.path` during attachment processing. This allows for arbitrary file reading (AFR) within the read permissions of the OpenProject application user, as local filesystem content can be read outside the intended ZIP scope. **Recommendations** Update to version 17.2.0 or later.

**Name of the Vulnerable Software and Affected Versions** OpenProject versions prior to 16.6.6 OpenProject versions prior to 17.0.2 **Description** OpenProject is a web-based project management software. A file write issue exists in the repository diff download endpoint (`/projects/:project id/repository/diff.diff`) when rendering a single revision via `git show`. By providing a crafted `rev` value, such as `rev=--output=/tmp/poc.txt`, an attacker can inject git show command-line options. This allows the OpenProject process to execute the SCM command, interpreting the attacker-controlled `rev` as an option and writing output to a path chosen by the attacker. Any user with the `:browse repository` permission on the project can create or overwrite arbitrary files the OpenProject process user is permitted to write. Overwriting application or configuration files can lead to data loss and denial of service. **Recommendations** Update to OpenProject version 16.6.6 or later. Update to OpenProject version 17.0.2 or later.

**Name of the Vulnerable Software and Affected Versions** OpenProject versions 16.3.0 through 16.6.4 **Description** OpenProject is a web-based project management software. A stored cross-site scripting issue exists in the Roadmap view. The issue occurs when a version contains work packages from a different project, as the project name is user-controlled and is not properly escaped before being rendered, allowing for HTML injection. The `link to work package` helper prepends `package.project.to s` to the link and returns the entire string with `.html safe`. This allows malicious HTML to be injected into the page. The issue is addressed in later versions by implementing the `X-Content-Type-Options: nosniff` header. **Recommendations** OpenProject versions 16.3.0 through 16.6.4 should be upgraded to version 16.6.5 or 17.0.0. If upgrading is not possible, add the `X-Content-Type-Options: nosniff` header in your proxying web application server.