We released OpenProject 10.0.2. The release contains a security related fix and we urge updating to the newest version.
[CVE-2019-17092] XSS injection vulnerability in projects listing in versions before 9.0.4, 10.0.2
An XSS vulnerability in project list in OpenProject before 9.0.4 and 10.x before 10.0.2 allows remote attackers to inject arbitrary web script or HTML via the sortBy parameter because error messages are mishandled.
This vulnerability has been assigned the CVE identifier CVE-2019-17092.
Versions Affected: Versions <= 9.0.3, 10.0.1 Fixed Versions: 9.0.4, 10.0.2
OtherBug fixes and changes
- Fixed: Inconsistent row heights when resizing widgets [#31048]
- Fixed: In Budgets projected unit costs and labor cost is not shown [#31247]
- Fixed: Restart puma workers to cope with potential memory leaks [#31262]
- Fixed: “Enterprise Edition” blue bar would be nicer horizontally [#31265]
Thanks to David Haintz from SEC Consult Vulnerability Lab for identifying and responsibly disclosing the identified issues.
A big thanks to community members for reporting bugs and helping us identifying and providing fixes.
Special thanks for reporting and finding bugs go to Andrea Pistai