Vulnerability Description
OpenProject is open-source, web-based project management software. In versions prior to 15.2.1, the application fails to properly sanitize user input before displaying it in the Group Management section. Groups created with HTML script tags are not properly escaped before rendering them in a project. The issue has been resolved in OpenProject version 15.2.1. Those who are unable to upgrade may apply the patch manually.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openproject | Openproject | < 15.2.1 |
Related Weaknesses (CWE)
References
- https://github.com/opf/openproject/pull/17783Patch
- https://github.com/opf/openproject/security/advisories/GHSA-mg4q-ghvh-cm2jPatchVendor Advisory
- https://patch-diff.githubusercontent.com/raw/opf/openproject/pull/17783.patchPatch
- https://www.openproject.org/docs/release-notes/12-5-1Release Notes
FAQ
What is CVE-2025-24892?
CVE-2025-24892 is a vulnerability with a CVSS score of 3.5 (LOW). OpenProject is open-source, web-based project management software. In versions prior to 15.2.1, the application fails to properly sanitize user input before displaying it in the Group Management secti...
How severe is CVE-2025-24892?
CVE-2025-24892 has been rated LOW with a CVSS base score of 3.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-24892?
Check the references section above for vendor advisories and patch information. Affected products include: Openproject Openproject.