Seanmarpo

**Name of the Vulnerable Software and Affected Versions** OpenProject versions prior to 13.4.2 OpenProject versions prior to 14.0.2 OpenProject versions prior to 14.1.0 **Description** The issue concerns OpenProject, a leading open source project management software, which utilizes `tablesorter` inside of the Cost Report feature. This dependency can lead to Stored XSS via `{icon}` substitution in table header values when misconfigured. The attack requires the permissions "Edit work packages" as well as "Add attachments". A project admin could attempt to escalate their privileges by sending this XSS to a System Admin. The vulnerability can be exploited by storing javascript in the application itself via a ticket's attachment, bypassing the application's CSP policy to achieve Stored XSS. **Recommendations** For versions prior to 13.4.2, update to version 13.4.2 or later. For versions prior to 14.0.2, update to version 14.0.2 or later. For versions prior to 14.1.0, update to version 14.1.0 or later.