OpenProject HTML Injection Vulnerability in Time Tracking Function

A stored HTML injection vulnerability has been identified in OpenProject versions prior to 16.6.7 and 17.0.3. This vulnerability exists in the time tracking feature, where the application fails to properly escape HTML tags. An attacker with administrator privileges can exploit this by creating a work package with a name that includes HTML tags. When adding this work package to the time tracking section, the HTML content is rendered in the user's browser, potentially leading to malicious exploitation.

Impact

Exploitation of this vulnerability allows for stored HTML injection, where injected HTML is rendered in the context of the user interface, potentially leading to further attacks such as cross-site scripting.

Reproduction

To reproduce this vulnerability, an administrator can create a work package named with unescaped HTML tags. After saving the work package, the administrator can navigate to the time tracking section and add the work package to the 'Work packages' section. The HTML tags will be rendered in the browser, demonstrating the injection.

Remediation

Users are advised to update OpenProject to version 16.6.7 or 17.0.3, where this vulnerability has been patched.