OpenProject 13.4.2

Release date: 2024-05-22

We released OpenProject 13.4.2. The release contains several bug fixes and we recommend updating to the newest version.

Fixes a stored XSS vulnerability in the cost report functionality (CVE-2024-135224)

OpenProject Cost Report functionality uses improper sanitization of user input. This can lead to Stored XSS via the header values of the report table. This attack requires the permissions “Edit work packages” as well as “Add attachments”.

For more information, please see our security advisory.

Bug fixes and changes

  • Bugfix: Improper escaping of custom field values in cost report [#55197]


Thanks for finding and disclosing the vulnerability responsibly go to Sean Marpo. Thank you for reaching out to us and helping in identifying this issue.