cve/2024/CVE-2024-35224.md

### [CVE-2024-35224](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35224)
![](https://img.shields.io/static/v1?label=Product&message=openproject&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3C%2014.1.0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=%3E%3D%2013.4.0%2C%20%3C%2013.4.2%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=%3E%3D%2014.0.0%2C%20%3C%2014.0.2%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-80%3A%20Improper%20Neutralization%20of%20Script-Related%20HTML%20Tags%20in%20a%20Web%20Page%20(Basic%20XSS)&color=brightgreen)

### Description

OpenProject is the leading open source project management software. OpenProject utilizes `tablesorter` inside of the Cost Report feature. This dependency, when misconfigured, can lead to Stored XSS via `{icon}` substitution in table header values. This attack requires the permissions "Edit work packages" as well as "Add attachments". A project admin could attempt to escalate their privileges by sending this XSS to a System Admin. Otherwise, if a full System Admin is required, then this attack is significantly less impactful. By utilizing a ticket's attachment, you can store javascript in the application itself and bypass the application's CSP policy to achieve Stored XSS. This vulnerability has been patched in version(s) 14.1.0, 14.0.2 and 13.4.2.

### POC

#### Reference
- https://community.openproject.org/projects/openproject/work_packages/55198/relations

#### Github
No PoCs found on GitHub currently.
Update CVE list 2025-09-29 21:09 2025-09-29 21:09:30 +02:00			`### [CVE-2024-35224](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35224)`
			`![](https://img.shields.io/static/v1?label=Product&message=openproject&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=%3C%2014.1.0%20&color=brightgreen)`
			`![](https://img.shields.io/static/v1?label=Version&message=%3E%3D%2013.4.0%2C%20%3C%2013.4.2%20&color=brightgreen)`
			`![](https://img.shields.io/static/v1?label=Version&message=%3E%3D%2014.0.0%2C%20%3C%2014.0.2%20&color=brightgreen)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-80%3A%20Improper%20Neutralization%20of%20Script-Related%20HTML%20Tags%20in%20a%20Web%20Page%20(Basic%20XSS)&color=brightgreen)`

			`### Description`

			OpenProject is the leading open source project management software. OpenProject utilizes `tablesorter` inside of the Cost Report feature. This dependency, when misconfigured, can lead to Stored XSS via `{icon}` substitution in table header values. This attack requires the permissions "Edit work packages" as well as "Add attachments". A project admin could attempt to escalate their privileges by sending this XSS to a System Admin. Otherwise, if a full System Admin is required, then this attack is significantly less impactful. By utilizing a ticket's attachment, you can store javascript in the application itself and bypass the application's CSP policy to achieve Stored XSS. This vulnerability has been patched in version(s) 14.1.0, 14.0.2 and 13.4.2.

			`### POC`

			`#### Reference`
			`- https://community.openproject.org/projects/openproject/work_packages/55198/relations`

			`#### Github`
			`No PoCs found on GitHub currently.`