OpenProject is a widely-used open source project management software popular in enterprises and organizations to collaborate, manage tasks, track project status, and much more. In June 2024, a serious vulnerability — CVE-2024-35224 — was identified in OpenProject’s Cost Report feature. This flaw leverages a misconfiguration in a third-party dependency called tablesorter. Attackers with appropriate permissions can exploit this bug to execute JavaScript (Stored XSS) that persists in the application and executes in a victim’s browser.
This long read breaks down how this works, who’s at risk, how to exploit and defend against it, with code samples for demonstration.
1. What is CVE-2024-35224?
At its core, CVE-2024-35224 is a Stored Cross-Site Scripting (XSS) issue in OpenProject’s Cost Report feature. The front-end uses the older tablesorter JavaScript library to render and sort columns. Within certain configurations, OpenProject allows user-supplied input for table headers. If the input includes {icon} substitutions, these are rendered as HTML, even if the input contains unsafe code.
By embedding JavaScript through this vector, malicious users can execute scripts in the browser of anyone viewing the tampered Cost Report.
Official Description:
> OpenProject utilizes tablesorter inside of the Cost Report feature. This dependency, when misconfigured, can lead to stored XSS via {icon} substitution in table header values. This attack requires the permissions "Edit work packages" as well as "Add attachments".
*Add attachments*
Often, high-privileged users (such as Project Admins) have these. In shared environments, a Project Admin can potentially prepare a stored XSS payload that triggers when a System Admin views the Cost Report, possibly escalating privileges.
3. Attack Mechanism
Why tablesorter?
OpenProject’s Cost Report feature uses tablesorter, which parses content in headers and allows certain substitutions like {icon}. Due to misconfiguration, it’s possible to inject arbitrary HTML instead of the expected icon code.
How does XSS happen?
A malicious actor could upload an attachment with a filename or metadata containing a specially crafted script, or directly inject payloads into table headers — these are rendered unsanitized and interpreted by the browser.
CSP Bypass?
OpenProject uses CSP (Content Security Policy). However, certain script injections are still possible due to how the {icon} placeholder is processed and converted into HTML, so the browser’s built-in protections can be bypassed.
Step 1: Craft the Payload
Suppose you can define a table header in the Cost Report and you know it processes {icon} like this:
<th>{icon:user}</th>
But due to the bug, this is not sufficiently sanitized. Instead, you could create
<th>{icon:user}<img src=x onerror=alert("XSS")></th>
Or, using OpenProject's UI, input a value like this as a column header or attachment title
user"}'><img src=x onerror=alert('OpenProject XSS')>
If attachments’ metadata/title/filename are processed in the table
// Pseudocode for uploading an attachment with a malicious name
let maliciousFilename = malicious.jpg"}'><img src=x onerror=alert('CVE-2024-35224')>;
uploadAttachment(maliciousFilename);
When an Admin opens the Cost Report, the malicious code executes in their browser
<th>{icon:user"}'><img src=x onerror=alert('CVE-2024-35224')></th>
Visualization in Browser
An alert pops up as soon as the table renders, proving code execution.
Who Can Exploit?
* Project Admins, or any user with both "Edit work packages" and "Add attachments" permissions.
Who Can Be Targeted?
* Typically, System Admins or any user who views Cost Reports with the injected payload.
What’s at Risk?
* Full account compromise (if attacker grabs admin session/cookies)
* Unauthorized actions performed as the victim
* Data leakage, phishing, or modifying project data
Privilege Escalation:
If a Project Admin uses this to hijack a System Admin’s session, it could lead to full compromise of the OpenProject application.
OpenProject 13.4.2
Upgrade immediately to any of the above or newer versions.
Remove permissions for "Edit work packages" and "Add attachments" from untrusted users
- Review all table headers/input sanitization in Cost Reports
7. References
- OpenProject Security Advisory | CVE-2024-35224
- NVD CVE Detail — CVE-2024-35224
- OpenProject changelog and patches
Conclusion
CVE-2024-35224 highlights the dangers of insufficient sanitization in complex frontend components — especially in powerful collaboration software like OpenProject. If your organization runs an affected version, patch right now. Even non-root users can create persistent, stealthy backdoors in your project environment. Always review permissions, sanitize user input, and keep dependencies up to date.
Timeline
Published on: 05/23/2024 13:15:09 UTC
Last modified on: 06/04/2024 17:33:30 UTC