TheDude

openproject

You've already forked openproject

Code Issues Pull Requests Packages Projects Releases Wiki Activity

OpenProject is the leading open source project management software.

kanban workflows timeline scrum ruby roadmap project-planning project-management openproject angular issue-tracker ifc gantt-chart gantt bug-tracker boards bcf

You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

54613 Commits

139 Branches

203 Tags

1.2 GiB

Ruby 73.1%

TypeScript 16.5%

HTML 6.6%

Sass 2.3%

JavaScript 0.6%

Other 0.7%

Tag: Branch: Tree: c649d260e7

12-3-1-notes-fixes

45001-component-to-show-the-list-of-non-working-days-of-year

45827-project-list-dropdown-actions-cut-off

Small-docs-fix

bug-process-documentation

bug/36827-creating-work-package-in-status-not-available-for-work-package-type

bug/41714-clicking-on-files-tab-scrolls-up-on-ios

bug/41851-blank-email-reminders-page-when-creating-account-manually

bug/43193-remove-oauth-cookie-after-successful-authorization-against-nextcloud

bug/43323-nextcloud-validation-error-in-new-storage-host-field

bug/43504-date-picker-not-working-as-expected-for-utc-time-hour-minus

bug/44924-error-in-souce-string-for-team-planner

bump/angular13

chore/file-list-padding-overwrite

chore/fix-error-toast-for-broken-oauth-data

chore/restructure-file-list-style

code-maintenance/45463-apply-rails-5-0-defaults

dev

display-skeleton-view-over-team-planner-calendar

docker-install

docs-add-details-follow-precede-gantt-distance

docs-add-details-follow-precede-gantt-distance-2

docs-update-to-notifications

docs-updates

docs-updates-for-12.5

documentation/design-system

feat/design-system

featuer/26688/in-app-notifications-table-change

feature/26688/ian-announcements

feature/37398-select-input-none-option

feature/37441-dynamic-form-v2

feature/40228-openapi-spec

feature/40228-openapi-specification-part-2

feature/41530-copying-a-project-shall-also-copy-file-links-attached-to-all-work-packages

feature/42358-standardise-date-pickers

feature/42358-standardise-date-pickers-2

feature/42358-standardise-date-pickers-drop-modal-portal

feature/43118-access-project-dropdown-entries-via-arrow-keys

feature/43638-update-team-planner-and-calendar-for-duration-and-non-working-days-rebased

feature/43644-revoke-access-to-storage-granted-by-oauth

feature/44212-new-release-teaser-block-for-123

feature/45963-remove-select-all-and-open-storage-interaction-elements-from-file-pickers

feature/api_v3_activities_index

feature/documenting-services-and-contracts

feature/ee-date-alerts

feature/file-links-oauth-connection-manager-rebased

feature/in-app-notifications-settings

feature/invite-user-modal

feature/notification_signaling

feature/openapi-spec-and-swagger-ui

feature/placeholder-users

feature/settings_api

feature/spot-list-tooltip-rework

feature/team-planner-fullcalendar

feature/translations-hierarchy

fix-column-width-including-ngselect

fix-tab-info-not-updated-in-notification-center

fix/34436-edit-backlog-date-focus-backlog-details

fix/34436-edit-backlog-date-focus-backlog-details-firefox-quirk

fix/35563-hide-boards-user-is-not-allowed

fix/36521-Saving-changes-to-user-profile-after-handling-error-message-leads-to-user-profile

fix/37509/modal-position-relative

fix/39123-mobile-tab-overflow

fix/39833-work-package-parent-shrink

fix/41437-project-selector

fix/41535-datepicker-overflow

fix/42397-project-filter-is-not-applied-in-embedded-table

fix/43085/default-cf-value-filter

fix/43230-toggle-disabled-state-not-defined

fix/43259-the-list-style-in-the-nextcloud-section-is-not-correct

fix/44197-sort-workpackages-by-updated-at

fix/44846-custom-field-multi-select

fix/45586/totp-clock-error-discoverability

fix/activity-change-detection

fix/activity-tab-spec

fix/api-spec-storage-files

fix/attachments-drag-n-drop-chrome

fix/comment-number-cut-off-on-moblie

fix/custom-plugin-frozen

fix/improve_scheduling_performance-with-simpler_sql

fix/inline-wp-button-macro

fix/json_serialize_delayed_job

fix/missing-omniauth-strategy

fix/notification_and_wp_visiblity_check_performance

fix/op-sidemenu-href

fix/op-sidemenu-onpush

fix/rails_7_scope_merging_on_index

fix/re-enable-rake-task

fix/reject-invalid-host-headers

fix/remove-differential-building

fix/run-url-github

fix/selector_for_board_specs

fix/storybook-zone-aware-promise

fix/update_robot_txt

fix/whitelist_date_on_config_yaml_load

fix/wysiwyg-changes_wo_ckeditor

hal_presenter_demo

housekeeping/update-rxjs

implementation-wp-quick-add-modal-component

implementation/42204-add-file-links-collection-to-work-package-resource

implementation/42379-add-endpoint-to-update-cache-with-live-data

implementation/42843-add-authorization-state-to-storages-api-endpoint

implementation/43693-add-file-link-list-component-to-new-work-package-form

implementation/45083-update-look-of-activity-items-in-activity-module-for-project-and-work-packages

integration/outdated_10.5

packaging/sles15

refactor/autocompleters

refactor/hal-resource-2

refactor/handle-prettier-dependency

release/11.2

release/11.3

release/11.4

release/12.0

release/12.1

release/12.2

release/12.3

release/12.4

revert-10203-fix/ldap-sync-mutex

revert-9332-feature/37472-dynamic-forms-v2-flat-resources_links-model

spike/fullcalendar-resources

spike/hotwire

spike/try-removing-shoulda

stable/10

stable/11

stable/12

stable/5

stable/6

stable/7

stable/8

stable/9

task/41010-add-configure-work-packages-forms-(headlines)-(premium-feature)

task/42684-project-settings-change-screenshot-and-customize-text

task/42759-new-wording-for-note-in-the-english-user-guide

task/43309-edit-forum-section-in-user-guide

task/43662-edit-work-package-faq

task/44235-user-guide-notification-typo-fix

task/44256-user-guide-calculate-work-package-progress-with-work-package-status

update-style-guide-screenshots

wizard-test

11.2.1

2.4.0

release/3.0.0

sprint/2014_08

sprint/2014_09

sprint/2014_10

sprint/2014_11

sprint/2014_12

sprint/2014_13

sprint/2014_16

sprint/2014_18

sprint/2015_01

sprint/2015_02

sprint/2015_03

sprint/2015_04

v10.0.0

v10.0.1

v10.0.2

v10.1.0

v10.2.0

v10.2.1

v10.2.2

v10.3.0

v10.3.1

v10.4.0

v10.4.1

v10.5

v10.5.0

v10.5.1

v10.6.0

v10.6.1

v10.6.2

v10.6.3

v10.6.4

v10.6.5

v11.0.0

v11.0.1

v11.0.2

v11.0.3

v11.0.4

v11.1.0

v11.1.1

v11.1.2

v11.1.3

v11.1.4

v11.2.0

v11.2.1

v11.2.2

v11.2.3

v11.2.4

v11.3.0

v11.3.1

v11.3.2

v11.3.3

v11.3.4

v11.3.5

v11.4.0

v11.4.1

v12.0.0

v12.0.1

v12.0.10

v12.0.2

v12.0.3

v12.0.4

v12.0.5

v12.0.6

v12.0.7

v12.0.8

v12.0.9

v12.1.0

v12.1.1

v12.1.2

v12.1.3

v12.1.4

v12.1.5

v12.1.6

v12.2.0

v12.2.1

v12.2.2

v12.2.3

v12.2.4

v12.2.5

v12.3.0

v12.3.1

v12.3.2

v12.3.3

v12.3.4

v12.4.0

v12.4.1

v12.4.2

v12.4.3

v3.0.0

v3.0.1

v3.0.11

v3.0.12

v3.0.13

v3.0.14

v3.0.15

v3.0.16

v3.0.17

v3.0.2

v3.0.3

v3.0.4

v3.0.8

v4.0.0

v4.0.1

v4.0.10

v4.0.11

v4.0.12

v4.0.2

v4.0.3

v4.0.4

v4.0.5

v4.0.6

v4.0.7

v4.0.8

v4.0.9

v4.1.0

v4.1.0-beta

v4.1.1

v4.1.2

v4.1.3

v4.1.4

v4.2.0

v4.2.1

v4.2.2

v4.2.3

v4.2.4

v4.2.5

v4.2.6

v4.2.7

v4.2.8

v4.2.9

v5.0.0

v5.0.1

v5.0.10

v5.0.11

v5.0.12

v5.0.13

v5.0.14

v5.0.15

v5.0.16

v5.0.17

v5.0.18

v5.0.19

v5.0.2

v5.0.20

v5.0.3

v5.0.4

v5.0.5

v5.0.6

v5.0.7

v5.0.8

v5.0.9

v6.0.0

v6.0.1

v6.0.2

v6.0.3

v6.0.4

v6.0.5

v6.1.0

v6.1.1

v6.1.2

v6.1.3

v6.1.4

v6.1.5

v7.0.0

v7.0.1

v7.0.2

v7.0.3

v7.1.0

v7.2.0

v7.2.1

v7.2.2

v7.2.3

v7.3.0

v7.3.1

v7.3.2

v7.4.0

v7.4.1

v7.4.2

v7.4.3

v7.4.4

v7.4.5

v7.4.6

v7.4.7

v8.0.0

v8.0.1

v8.0.2

v8.1.0

v8.2.0

v8.2.1

v8.3.0

v8.3.1

v8.3.2

v8.3.3-pre

v9.0.0

v9.0.0-pre

v9.0.1

v9.0.2

v9.0.2-pre

v9.0.3

v9.0.4

${ item.name }

Create tag ${ searchTerm }

Create branch ${ searchTerm }

from 'c649d260e7'

${ noResults }

openproject/docs/release-notes/9-0-4

History

Oliver Günther e1c642f46e Move help into docs		5 years ago
..
README.md	Move help into docs	5 years ago

README.md

title	sidebar_navigation	release_version	release_date
OpenProject 9.0.3	[{title 9.0.3}]	9.0.3	2019-07-23

[CVE-2019-17092] XSS injection vulnerability in projects listing in versions before 9.0.4, 10.0.2

An XSS vulnerability in project list in OpenProject before 9.0.4 and 10.x before 10.0.2 allows remote attackers to inject arbitrary web script or HTML via the sortBy parameter because error messages are mishandled.

This vulnerability has been assigned the CVE identifier CVE-2019-17092.

Versions Affected: Versions <= 9.0.3, 10.0.1 Fixed Versions: 9.0.4, 10.0.2

Credits

Thanks to David Haintz from the SEC Consult Vulnerability Lab (https://www.sec-consult.com) for identifying and responsibly disclosing the identified issues.

Contributions

Thanks to David Haintz from SEC Consult Vulnerability Lab for identifying and responsibly disclosing the identified issues.