OpenProject 的仓库文件以允许其绕过内容安全策略 (Content Security Policy) 的 MIME 类型提供服务

攻击者可以利用此漏洞在 OpenProject 仓库页面上注入恶意脚本。当项目成员访问包含恶意代码的文件变更记录时，脚本将在其浏览器中执行，可能导致敏感信息泄露、会话劫持或恶意重定向。由于该漏洞允许持久化 XSS 攻击，攻击者可以持续影响项目成员，直到漏洞被修复。攻击者需要具备向仓库推送代码的权限才能利用此漏洞，但一旦获得权限，影响范围可能涉及整个项目团队。

Organizations using OpenProject for project management, particularly those with multiple users and shared repositories, are at risk. Teams relying on OpenProject for sensitive project data are especially vulnerable, as the XSS attack could lead to data theft or unauthorized access. Users with push access to repositories represent the most immediate threat.

• linux / server: Monitor OpenProject logs for unusual activity related to repository commits. Use journalctl -f to observe repository access patterns and look for suspicious filenames.

journalctl -f | grep 'repository commit' | grep -i 'html'

• generic web: Examine OpenProject access and error logs for requests containing suspicious HTML code in filenames. Use curl to test repository endpoints with crafted filenames and observe the response for signs of XSS.

curl 'https://openproject.example.com/repositories/your_repo/commits?filename=<script>alert("XSS")</script>' -s

1. 2026-03-18Disclosure

   disclosure

1. 已保留2026-03-13
2. 发布日期2026-03-18
3. 修改日期2026-03-19
4. EPSS 更新日期2026-03-26

最有效的缓解措施是立即将 OpenProject 升级至 17.2.1 或更高版本，该版本包含修复此漏洞的补丁。如果无法立即升级，可以考虑以下临时缓解措施：限制用户对仓库的推送访问权限，只允许信任用户进行代码提交。此外，实施严格的内容安全策略 (CSP) 可以帮助减轻 XSS 攻击的风险。监控项目仓库页面是否存在异常活动，例如未经授权的文件修改或可疑的 JavaScript 执行。