CVE-2024-41801

Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 14.3.0

Description The issue allows an attacker to redirect to a remote host to initiate a phishing attack against an OpenProject user's account by using a forged HOST header in the default configuration of packaged installations and the "Login required" setting. This affects default packaged installations of OpenProject without additional configuration or modules on Apache. The vulnerability might also affect other installations that did not fix the HOST/X-Forwarded-Host headers. Version 14.3.0 includes stronger protections for the hostname from within the application.

Recommendations For versions prior to 14.3.0, upgrade to version 14.3.0 to resolve the issue. As a temporary workaround, consider using mod security for Apache2. Manually fix the Host and X-Forwarded-Host headers in the proxying application before reaching the OpenProject application server. Alternatively, manually apply the patch to opt-in to host header protections in previous versions of OpenProject.