PT-2026-2222 · Openproject · Openproject
Lowoliverguenther
·
Publicado
2026-01-10
·
Atualizado
2026-01-12
·
CVE-2026-22602
CVSS v3.1
3.5
Baixa
| Vetor | AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
OpenProject versions prior to 16.6.2
Description
OpenProject is a web-based project management software. A user with low privileges can view the full names of other users. User IDs are assigned sequentially, allowing an attacker to extract a complete list of all users’ full names by iterating through URLs. This behavior can also be reproduced via the OpenProject API, enabling automated retrieval of full names through the API. The API endpoint allows for automated retrieval of full names. The vulnerable parameter is
user id.Recommendations
Upgrade to OpenProject version 16.6.2 or later.
If upgrading is not possible, apply the patch manually.
Exploit
Correção
Information Disclosure
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Openproject