Oliverguenther

**Name of the Vulnerable Software and Affected Versions** OpenProject versions 11.2.1 through 16.6.1 **Description** OpenProject is a web-based project management software. A flaw exists where sending a POST request to the `/account/change password` API endpoint with an arbitrary User ID specified in the `password change user id` parameter can reveal the username associated with that ID. This occurs because the endpoint does not require authentication, allowing for the enumeration of usernames for all registered accounts within an OpenProject instance. **Recommendations** OpenProject versions 11.2.1 through 16.6.1 should be updated to version 16.6.2 or later.

**Name of the Vulnerable Software and Affected Versions** OpenProject versions prior to 11.3.3 **Description** The issue concerns the `MessagesController` class in OpenProject, specifically the `quote` method, which is used for the Quote button in discussion forums. This method uses a regex to remove `<pre>` tags from quoted messages. However, the regex can be exploited to cause a Regular Expression Denial of Service due to its backtracking behavior when encountering an unterminated `<pre>` tag with a large number of spaces. **Recommendations** For versions prior to 11.3.3, update to OpenProject 11.3.3 to resolve the issue. As a temporary workaround, one may install the patch manually.