Yeswehack.Com

**Name of the Vulnerable Software and Affected Versions** OpenProject versions prior to 17.2.0 **Description** OpenProject is a web-based, open-source project management software. Before version 17.2.0, editing a project budget and planning labor costs did not verify if the user assigned to the budget was a project member. This exposed the user’s default rate to individuals who should not have access to this information. The `pre-calculation` endpoint, used for displaying cost previews, also failed to validate user membership, allowing costs to be calculated using the default rates of non-members. The vulnerable parameter is the `user` associated with the budget. **Recommendations** Versions prior to 17.2.0 should be updated to version 17.2.0 or later.