CVE-2025-24892

Опубликовано: 10 фев. 2025

Источник: nvd

CVSS3: 3.5

CVSS3: 5.4

EPSS Низкий

Описание

OpenProject is open-source, web-based project management software. In versions prior to 15.2.1, the application fails to properly sanitize user input before displaying it in the Group Management section. Groups created with HTML script tags are not properly escaped before rendering them in a project. The issue has been resolved in OpenProject version 15.2.1. Those who are unable to upgrade may apply the patch manually.

Ссылки

https://github.com/opf/openproject/pull/17783
Patch
https://github.com/opf/openproject/security/advisories/GHSA-mg4q-ghvh-cm2j
Patch
Vendor Advisory
https://patch-diff.githubusercontent.com/raw/opf/openproject/pull/17783.patch
Patch
https://www.openproject.org/docs/release-notes/12-5-1
Release Notes

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*

Версия до 15.2.1 (исключая)

EPSS

Процентиль: 56%

0.00335

Низкий

3.5 Low

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-79

EPSS

Процентиль: 56%

0.00335

Низкий

3.5 Low

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-79