Syndrome-Impostor

**Name of the Vulnerable Software and Affected Versions** OpenProject versions 17.0.0 through 17.0.1 **Description** OpenProject is a web-based project management software. A synchronization server was introduced in version 17.0.0 to enable real-time collaboration on documents. The server does not properly validate the backend URL and sends a request with a decrypted authentication token to the provided endpoint. This allows an attacker who has intercepted an authentication token to gain access to OpenProject on behalf of the victim. The authentication token is valid for 24 hours and is encrypted with a shared secret. The vulnerable functionality involves the interaction between the OpenProject backend, frontend, and synchronization server. The issue was introduced with version 17.0.0. **Recommendations** Disable the collaboration feature via Settings -> Documents -> Real time collaboration -> Disable. Disable the `hocuspocus` container.

**Name of the Vulnerable Software and Affected Versions** OpenProject versions prior to 16.6.5 OpenProject versions prior to 17.0.1 **Description** OpenProject is a web-based project management software. Users of affected versions could potentially unauthenticate other users by iterating requests to the `DELETE /my/sessions/:id` API endpoint with manipulated session IDs (`id`). This occurred because the system did not properly verify if a session belonged to the user attempting to delete it. While users could not access sensitive information like browser identifiers or IP addresses, they could terminate other users' active sessions. **Recommendations** Update OpenProject to version 16.6.5 or later. Update OpenProject to version 17.0.1 or later.