Business Logic Error on OpenProject through hyperlinks in markdown using DOM clobbering

OpenProject is an open-source, web-based project management software. Prior to 17.2.0, this vulnerability occurs due to improper validation of OpenProject’s Markdown rendering, specifically in the hyperlink handling. This allows an attacker to inject malicious hyperlink payloads that perform DOM clobbering. DOM clobbering can crash or blank the entire page by overwriting native DOM functions with HTML elements, causing critical JavaScript calls to throw runtime errors during application initialization and halt further execution. This vulnerability is fixed in 17.2.0.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

OpenProject 跨站脚本漏洞

OpenProject是OpenProject开源的一个基于Web的项目管理软件。 OpenProject 17.2.0之前版本存在跨站脚本漏洞，该漏洞源于OpenProject的Markdown渲染验证不当，特别是在超链接处理中，可能导致攻击者注入执行DOM破坏的恶意超链接有效载荷，从而崩溃或清空整个页面。

N/A

N/A