A critical SQL injection vulnerability in OpenProject enables authenticated attackers to manipulate database queries through the timestamps parameter during baseline comparisons.

The application fails to properly sanitize the timestamps parameter used in baseline comparisons, allowing an authenticated user to perform SQL injection and potentially access or modify sensitive project data.

With a CVSS score of 9.9, this vulnerability presents a severe risk to data integrity and confidentiality. A successful attack could allow an unauthorized party to bypass application logic, extract private project management data, or potentially gain administrative control over the underlying database, causing significant operational disruption.

Immediate Action: Upgrade OpenProject to version 17.3.3 or 17.4.1 immediately to resolve the improper input handling.

Proactive Monitoring: Review database audit logs for unusual query patterns or unexpected error messages indicative of SQL injection attempts.

Compensating Controls: Utilize a Web Application Firewall (WAF) configured with SQL injection protection rules to filter malicious payloads directed at the OpenProject application.

Public Exploit Available: Not specified

Given the critical nature of this SQL injection vulnerability, immediate patching is mandatory. Organizations should ensure that all OpenProject instances are updated to the recommended versions to eliminate the risk of database compromise and unauthorized data access.