PT-2026-3465 · Unknown · Openproject
Syndrome-Impostor
·
Publicado
2026-01-19
·
Atualizado
2026-02-02
·
CVE-2026-23646
CVSS v3.1
6.5
Média
| Vetor | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
OpenProject versions prior to 16.6.5
OpenProject versions prior to 17.0.1
Description
OpenProject is a web-based project management software. Users of affected versions could potentially unauthenticate other users by iterating requests to the
DELETE /my/sessions/:id API endpoint with manipulated session IDs (id). This occurred because the system did not properly verify if a session belonged to the user attempting to delete it. While users could not access sensitive information like browser identifiers or IP addresses, they could terminate other users' active sessions.Recommendations
Update OpenProject to version 16.6.5 or later.
Update OpenProject to version 17.0.1 or later.
Exploit
Correção
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Openproject