OpenProject BlockNote Editor Extension ID Validation Vulnerability Allowing Arbitrary API Requests

A vulnerability exists in the OpenProject BlockNote editor extension for collaborative documents, specifically in OpenProject versions 17.0.0 and 17.0.1. The issue arises because the extension fails to properly validate work package IDs, allowing attackers to create documents with links that can trigger arbitrary 'GET' requests to any URL within the OpenProject instance. This vulnerability was introduced in version 17.0.0 and could be exploited by manipulating work package IDs to bypass validation.

Impact

Exploitation of this vulnerability could lead to forced actions, content spoofing, and persistent denial-of-service within the OpenProject instance by manipulating work package IDs to make unauthorized API requests.

Remediation

Users can update to OpenProject version 17.0.2, which includes the patched BlockNote extension. If an immediate update is not possible, administrators can disable collaborative document editing in the OpenProject settings.