Detection Guidance

This vulnerability can be detected by monitoring for suspicious POST requests to the /api/v3/projects/{project}/work_packages endpoint, specifically those containing the "description" parameter with injected data-controller="poll-for-changes" attributes.

You can use network traffic inspection tools or web application firewall (WAF) logs to identify such requests.

Example commands to detect suspicious payloads in logs or live traffic might include:

• Using grep on server logs: grep -i 'data-controller="poll-for-changes"' /var/log/openproject/access.log
• Using curl to test injection: curl -X POST -d 'description=<macro data-controller="poll-for-changes">' https://your-openproject-instance/api/v3/projects/{project}/work_packages
• Using network packet capture tools like tcpdump or Wireshark to filter HTTP POST requests to the vulnerable endpoint and inspect payloads for suspicious data-controller attributes.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade OpenProject to version 17.3.3, 17.4.1, or later, where the vulnerability has been fixed.

Until the upgrade can be performed, consider implementing web application firewall (WAF) rules to block requests containing the suspicious data-controller="poll-for-changes" attribute in the description parameter.

Additionally, review and restrict user privileges to limit the ability to inject malicious content.

Useful 0 Not Useful 0

Executive Summary

This vulnerability is a stored cross-site scripting (XSS) issue in OpenProject versions prior to 17.3.3. It occurs because the HTML sanitizer allows unrestricted data-* attributes on <macro> elements, including data-controller="poll-for-changes." An attacker can inject this attribute into a work package description, causing Stimulus.js to mount a controller that fetches an attacker-uploaded attachment and executes arbitrary Turbo Stream actions.

These actions include redirecting every authenticated victim's browser session to an attacker-controlled server. The vulnerability requires low privileges and no user interaction to exploit.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker to execute arbitrary actions in the context of your authenticated browser session. Specifically, it can redirect your browser to a malicious server controlled by the attacker.

Because the attack affects confidentiality and integrity, sensitive information could be exposed or manipulated without your consent.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows attackers to execute arbitrary actions in authenticated users' browser sessions, including redirecting them to attacker-controlled servers. This results in a compromise of confidentiality and integrity of user data within the application.

Such unauthorized access and manipulation of data could potentially lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring data integrity.

Useful 0 Not Useful 0