Lowoliverguenther

**Name of the Vulnerable Software and Affected Versions** OpenProject versions prior to 16.6.2 **Description** OpenProject is a web-based project management software. A user with low privileges can view the full names of other users. User IDs are assigned sequentially, allowing an attacker to extract a complete list of all users’ full names by iterating through URLs. This behavior can also be reproduced via the OpenProject API, enabling automated retrieval of full names through the API. The API endpoint allows for automated retrieval of full names. The vulnerable parameter is `user id`. **Recommendations** Upgrade to OpenProject version 16.6.2 or later. If upgrading is not possible, apply the patch manually.