OpenProject User Enumeration Vulnerability

A user enumeration vulnerability has been identified in OpenProject, an open-source project management software, affecting versions prior to 16.6.2. The issue allows low-privileged logged-in users to view the full names of other users. This vulnerability arises because user IDs are assigned in a predictable sequence. An attacker can exploit this by iterating through user ID URLs to extract full names. The same exploitation is possible through the OpenProject API, enabling automated retrieval of user names.

Impact

Exploitation of this vulnerability allows for unauthorized users to access the full names of all other users, potentially leading to targeted phishing attacks. This information could also be used to infer the organization's internal structure, facilitating further reconnaissance and attack activities.

Reproduction

To reproduce this vulnerability, a low-privileged logged-in user can send requests to the OpenProject application, targeting the user ID URLs. Full names can be retrieved by iterating through the predictable user ID sequence. Alternatively, the OpenProject API can be used to automate this process.

Remediation

Users are advised to upgrade to OpenProject version 16.6.2 or later. For those unable to upgrade, a manual patch is available.