CVE-2024-35224 in OpenProject
Summary
by MITRE • 05/23/2024
OpenProject is the leading open source project management software. OpenProject utilizes `tablesorter` inside of the Cost Report feature. This dependency, when misconfigured, can lead to Stored XSS via `{icon}` substitution in table header values. This attack requires the permissions "Edit work packages" as well as "Add attachments". A project admin could attempt to escalate their privileges by sending this XSS to a System Admin. Otherwise, if a full System Admin is required, then this attack is significantly less impactful. By utilizing a ticket's attachment, you can store javascript in the application itself and bypass the application's CSP policy to achieve Stored XSS. This vulnerability has been patched in version(s) 14.1.0, 14.0.2 and 13.4.2.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/13/2026
The vulnerability CVE-2024-35224 affects OpenProject, a widely used open source project management platform that has been identified as susceptible to stored cross-site scripting attacks through its integration with the tablesorter JavaScript library within the Cost Report feature. This security flaw represents a significant concern for organizations relying on OpenProject for project management operations, as it allows attackers to execute malicious scripts in the context of other users' browsers. The vulnerability specifically manifests when the tablesorter dependency is improperly configured, creating an opportunity for attackers to inject malicious code that persists within the application's data storage. The attack vector requires a specific set of permissions including "Edit work packages" and "Add attachments" which limits the initial attack surface but still presents a substantial risk for privilege escalation attempts.
The technical exploitation of this vulnerability occurs through the `{icon}` substitution mechanism within table header values, where attacker-controlled data can be injected to create persistent XSS payloads. This particular implementation flaw allows malicious actors to leverage the application's attachment functionality to store JavaScript code directly within the system, effectively bypassing the application's Content Security Policy (CSP) protections that are typically designed to prevent such attacks. The vulnerability's classification aligns with CWE-79 which specifically addresses cross-site scripting flaws, and its exploitation pattern corresponds to the ATT&CK technique T1566.001 for initial access through malicious attachments. The stored nature of this XSS means that once the malicious payload is injected, it will execute automatically whenever affected users view the compromised table data, potentially leading to session hijacking, data theft, or further privilege escalation attacks.
The operational impact of CVE-2024-35224 extends beyond simple script execution, as it creates opportunities for attackers to perform privilege escalation attacks within the OpenProject environment. A project administrator with the required permissions could attempt to elevate their privileges by targeting system administrators through this XSS vector, potentially gaining unauthorized access to sensitive system functions and data. The vulnerability's patch status in versions 14.1.0, 14.0.2, and 13.4.2 indicates that the OpenProject development team has addressed the issue, but organizations must ensure proper upgrade procedures are implemented to protect against this threat. The fact that the vulnerability requires specific permission levels suggests it may be less frequently exploited than more general XSS flaws, but its potential for privilege escalation makes it particularly dangerous in environments where project administrators have elevated access rights. Organizations should conduct immediate security assessments to determine if their current OpenProject installations are vulnerable and implement the appropriate patches to prevent exploitation attempts.