OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is an IDOR through /projects/<A>/settings/project_storages/<A_ps_id> via PATCH parameter "storages_project_storage[project_folder_id]" leads to Access to Unauthorized Resources. A project-admin in one project can hijack the managed Nextcloud or OneDrive folder of another project on the same storage by writing the victim project's project_folder_id into the attacker's Storages::ProjectStorage row. The next managed-folder sync overwrites the ACL on the referenced folder with the attacker project's user list. This vulnerability is fixed in 17.3.3 and 17.4.1.
An attacker who is a project administrator sends a PATCH request to the endpoint /projects/<A>/settings/project_storages/<A_ps_id>, manipulating the 'storages_project_storage[project_folder_id]' parameter by specifying a folder identifier belonging to another project. The application does not properly verify whether the specified folder belongs to the attacker's project, and saves the foreign folder identifier in the Storages::ProjectStorage record of the attacker's project. During the next synchronization of managed folders, the system overwrites the access control lists (ACLs) on the taken-over folder with the list of users from the attacker's project, effectively taking control of someone else's resource.
Attacker gains unauthorized access to Nextcloud or OneDrive folders belonging to other projects and can overwrite their permissions, leading to disclosure of sensitive data, modification, or loss of access for legitimate users.
OpenProject should be updated to version 17.3.3 or 17.4.1, in which the vulnerability has been fixed. Detailed information is available in the producer's security advisory at https://github.com/opf/openproject/security/advisories/GHSA-3vpx-94qx-xpw6
OpenProject in versions before 17.3.3 (17.3.x branch) and before 17.4.1 (17.4.x branch), using integration with Nextcloud or OneDrive file storage
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H