A critical vulnerability has been identified in OpenProject, a web-based project management software. This flaw allows an authenticated attacker to read sensitive files from the server, such as configuration files and private project data, by uploading a specially crafted image file and exporting a report to PDF. Successful exploitation could lead to a significant data breach and potential further compromise of the underlying system.

The vulnerability is a Local File Read (LFR) that exists within the work package PDF export feature. An attacker with permissions to upload attachments can create a malicious SVG file containing a payload that leverages the ImageMagick text: coder. By disguising this SVG file with a .png extension and uploading it as an attachment to a work package, the attacker can then trigger the vulnerability by exporting that work package to a PDF. During the export process, the backend server attempts to process the malicious file as an image, causing ImageMagick to interpret the payload and embed the contents of an arbitrary local file (e.g., /etc/passwd) directly into the generated PDF, which the attacker can then download and view.

This vulnerability is rated as critical severity with a CVSS score of 9.1, posing a significant risk to the organization. Exploitation allows an attacker to exfiltrate sensitive data from the server's file system, limited only by the permissions of the application's user account. This could include system user information, application source code, database credentials, API keys, and confidential project data. A successful attack can lead to a complete loss of confidentiality, severe reputational damage, regulatory penalties, and could serve as a foothold for further attacks on the internal network.

Immediate Action: Upgrade all instances of OpenProject to the patched version 16.6.4 or a later release. For systems that cannot be upgraded immediately, the vendor has provided a manual patch that should be applied as soon as possible. After patching, monitor application and system logs for any signs of attempted or successful exploitation.

Proactive Monitoring:

• Monitor application logs for errors or unusual behavior related to the PDF export functionality and ImageMagick processing.
• Review web server access logs for suspicious file uploads, particularly files with mismatched extensions and content types (e.g., a file with a .png extension identified as image/svg+xml).
• Implement file integrity monitoring on critical configuration files to detect unauthorized access by the OpenProject application process.

Compensating Controls: If patching is not immediately possible, implement the following controls:

• Temporarily disable the work package PDF export functionality.
• Strictly limit user permissions for uploading attachments to only highly trusted administrative accounts.
• Implement a Web Application Firewall (WAF) with rules to inspect file uploads for malicious SVG content or mismatched MIME types.
• Harden the server's ImageMagick configuration (policy.xml) to disable the text: coder.

Public Exploit Available: False

Given the critical severity (CVSS 9.1) and the high potential for sensitive data exfiltration, we strongly recommend that immediate action is taken. All vulnerable OpenProject instances must be patched to version 16.6.4 or newer without delay. If patching must be deferred, the compensating controls, particularly disabling the PDF export feature and restricting attachment permissions, should be implemented immediately to mitigate the risk.