CVE-2021-32763

Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 11.3.3

Description The issue concerns the MessagesController class in OpenProject, specifically the quote method, which is used for the Quote button in discussion forums. This method uses a regex to remove <pre> tags from quoted messages. However, the regex can be exploited to cause a Regular Expression Denial of Service due to its backtracking behavior when encountering an unterminated <pre> tag with a large number of spaces.

Recommendations For versions prior to 11.3.3, update to OpenProject 11.3.3 to resolve the issue. As a temporary workaround, one may install the patch manually.