CVE-2021-43830

Name of the Vulnerable Software and Affected Versions: OpenProject versions 12.0.0 through 12.0.3

Description: OpenProject is a web-based project management software. The software is vulnerable to a SQL injection in the budgets module. For authenticated users with the "Edit budgets" permission, the request to reassign work packages to another budget insufficiently sanitizes user input in the reassign to id parameter.

Recommendations: For OpenProject versions 12.0.0 through 12.0.3, upgrade to at least version 12.0.4 to resolve the issue. If you are unable to upgrade in a timely fashion, consider applying a patch to fix the vulnerability. As a temporary workaround, consider restricting access to the budgets module for users with the "Edit budgets" permission until a patch is applied. Avoid using the reassign to id parameter in the affected API endpoint until the issue is resolved.