Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
OpenProject: Shares API Information Disclosure
Vulnerability Description
OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the GET /api/v3/shares endpoint returns share details for ALL work packages in a project to any user with the view_shared_work_packages permission. The authorization check operates at the project level only — it does not verify the requesting user can actually view each individual shared work package. This allows a regular project member to discover work package IDs and subjects (including confidential titles), which users have been granted shared access, what role level was assigned (Editor, Commenter, Viewer). This vulnerability is fixed in 17.3.2 and 17.4.0.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
授权机制不正确
Vulnerability Title
OPF OpenProject 授权问题漏洞
Vulnerability Description
opf openproject是opf的项目管理软件。 OPF OpenProject 17.3.2之前版本存在授权问题漏洞,该漏洞源于授权检查仅在项目级别进行,未验证用户是否有权查看每个共享工作包,可能导致具有view_shared_work_packages权限的用户发现工作包ID和主题(包括机密标题)、共享访问用户及角色级别。
CVSS Information
N/A
Vulnerability Type
N/A