OpenProject 12.5.4 Security Release
OpenProject 12.5.4 has just been released with two security related bug fixes identified and reported by a security researcher. They do not pose immediate or high threats, but we do recommend you update your systems to address these found issues.
Keep in mind: OpenProject is a software whose source code is available to the public, allowing anyone to study, modify, and distribute the software. By making the source code available for review, OpenProject allows a large community of developers to inspect the code for potential security vulnerabilities.
Two reported security issues have been fixed
Invalidation of existing sessions when 2FA activated
When a user registers and confirms their first two-factor authentication (2FA) device for an account, existing logged in sessions for that user account are not terminated. Likewise, if an administrator creates a mobile phone 2FA device on behalf of a user, their existing sessions are not terminated. This issue has been resolved in OpenProject version 12.5.4 by actively terminating sessions of user accounts having registered and confirmed a 2FA device.
Invalidation of password reset link when user changes password in the meantime
When a user requests a password reset, an email is sent with a link to confirm and reset the password. If the user changes the password in an active session in the meantime, the password reset link was not invalidated and continued to be usable for the duration of its validity period. The issue has been resolved in OpenProject version 12.5.4 by actively revoking any active password reset tokens for user accounts having changed their passwords successfully within the application.
For further details on all recent fixes, please take a look at our release notes for OpenProject 12.5.4.
Special Thanks to our Community Members
These two security related issues were responsibly disclosed by Vaishnavi Pardeshi. Thank you for reaching out to us and your help in identifying this issue! And special thanks for reporting and finding bugs go to Björn Schümann.
If you have a security vulnerability you would like to disclose, please see our statement on security.
Join now our Community by making a contribution to documentation or answering a user-generated question in the OpenProject forum.