PT-2026-26157 · Unknown · Openproject
Sam91281
·
Publicado
2026-03-18
·
Atualizado
2026-03-19
·
CVE-2026-32703
CVSS v3.1
9.0
Crítica
| Vetor | AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
OpenProject versions prior to 16.6.9
OpenProject versions prior to 17.0.6
OpenProject versions prior to 17.1.3
OpenProject versions prior to 17.2.1
Description
OpenProject is a web-based project management software. The Repositories module did not properly escape filenames, allowing an attacker with push access to a repository to inject HTML code through maliciously crafted filenames in commits. This enables a persisted cross-site scripting (XSS) attack against project members accessing the repositories page when viewing changesets where the crafted file was deleted.
Recommendations
Update OpenProject to version 16.6.9 or later.
Update OpenProject to version 17.0.6 or later.
Update OpenProject to version 17.1.3 or later.
Update OpenProject to version 17.2.1 or later.
Exploit
Correção
XSS
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Openproject