OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not p…

OpenProject, an open-source web-based project management software, contains a cross-site scripting (XSS) vulnerability in its Repositories module. The vulnerability affects versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1. The flaw occurs because the Repositories module fails to properly escape filenames displayed from repositories. Attackers with push access to the repository can exploit this by creating commits with filenames containing HTML code that gets injected into pages without proper sanitization. This enables persistent XSS attacks against all project members who access the repositories page to view changesets where maliciously crafted files were deleted. The vulnerability has been patched in versions 16.6.9, 17.0.6, 17.1.3, and 17.2.1.