A critical persisted XSS vulnerability in OpenProject allows attackers with repository push access to execute malicious scripts in the browsers of project members.

The Repositories module fails to properly escape filenames when displaying changesets. An attacker with push access can create a commit containing a filename with malicious HTML/JavaScript, which executes when other project members view the repository's changeset page.

A successful persisted XSS attack can lead to session hijacking, unauthorized actions performed on behalf of project members, and the theft of sensitive project data. Given the CVSS score of 9.0, the risk is severe as it can target high-privilege users, potentially leading to a broader compromise of the OpenProject instance and the data it contains.

Immediate Action: Upgrade OpenProject to version 16.6.9, 17.0.6, 17.1.3, or 17.2.1 to ensure that filenames are correctly sanitized before being rendered in the web interface.

Proactive Monitoring: Audit repository commit histories for filenames containing suspicious characters, such as <script> tags or unusual HTML entities.

Compensating Controls: Implement a strong Content Security Policy (CSP) to restrict the execution of inline scripts and unauthorized external scripts, providing a secondary layer of defense against XSS.

Public Exploit Available: false

While this vulnerability requires push access, the potential for session hijacking of administrators makes it a critical priority. Organizations should apply the recommended security updates immediately to protect their users from targeted browser-based attacks.