CVE-2025-24892

CVE Database · CVE-2025-24892

CVE-2025-24892

· LOWAnalyzed

CVSS v3.1

3.5

EPSS

0.27%

Published

Feb 10, 2025

Modified

Aug 26, 2025

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

OpenProject is open-source, web-based project management software. In versions prior to 15.2.1, the application fails to properly sanitize user input before displaying it in the Group Management section. Groups created with HTML script tags are not properly escaped before rendering them in a project. The issue has been resolved in OpenProject version 15.2.1. Those who are unable to upgrade may apply the patch manually.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Weaknesses (CWE)

CWE-79

Affected Products (1)

openproject · openproject (up to 15.2.1)vulnerable

References (4)

https://github.com/opf/openproject/pull/17783

Patch

https://github.com/opf/openproject/security/advisories/GHSA-mg4q-ghvh-cm2j

PatchVendor Advisory

https://patch-diff.githubusercontent.com/raw/opf/openproject/pull/17783.patch

Patch

https://www.openproject.org/docs/release-notes/12-5-1

Release Notes

KEV Catalog EPSS Scores Vendors All CVEs