This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Stored XSS in OpenProject's **Repositories** module. π **Consequences**: Attackers inject malicious scripts via **unescaped filenames**.β¦
π‘οΈ **Root Cause**: **CWE-79** (Improper Neutralization of Input During Web Page Generation). π **Flaw**: The system fails to properly **escape/display** filenames in the Repositories module.β¦
π« **Public Exploit**: **No**. The `pocs` array is empty in the data. π° **Advisory**: Confirmed via GitHub Security Advisory (GHSA-p423-72h4-fjvp).β¦
π **Self-Check**: Scan for **OpenProject** instances running versions < 17.2.1. π **Manual Test**: Upload a file with a **script tag** in the filename (e.g., `<img src=x onerror=alert(1)>`).β¦