The HTML sanitizer grants <macro> elements unrestricted data-* attributes via :data wildcard. An attacker injects data-controller="poll-for-changes" into a work package description, causing Stimulus.js to mount a controller that fetches an attacker-uploaded attachment and passes it to renderStreamMessage(). This executes arbitrary Turbo Stream actions — including redirect_to — in every victim's authenticated browser session, redirecting them to an attacker-controlled server.
Credits
This vulnerability was reported as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.
The HTML sanitizer grants
<macro>elements unrestricteddata-*attributes via:datawildcard. An attacker injectsdata-controller="poll-for-changes"into a work package description, causing Stimulus.js to mount a controller that fetches an attacker-uploaded attachment and passes it torenderStreamMessage(). This executes arbitrary Turbo Stream actions — includingredirect_to— in every victim's authenticated browser session, redirecting them to an attacker-controlled server.Credits
This vulnerability was reported as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.