|
| 1 | +--- |
| 2 | +title: OpenProject 16.6.7 |
| 3 | +sidebar_navigation: |
| 4 | + title: 16.6.7 |
| 5 | +release_version: 16.6.7 |
| 6 | +release_date: 2026-02-06 |
| 7 | +--- |
| 8 | + |
| 9 | + # OpenProject 16.6.7 |
| 10 | + |
| 11 | + Release date: 2026-02-06 |
| 12 | + |
| 13 | + We released OpenProject [OpenProject 16.6.7](https://community.openproject.org/versions/2265). |
| 14 | + The release contains several bug fixes and we recommend updating to the newest version. |
| 15 | + Below you will find a complete list of all changes and bug fixes. |
| 16 | + |
| 17 | +<!-- BEGIN CVE AUTOMATED SECTION --> |
| 18 | + |
| 19 | +## Security fixes |
| 20 | + |
| 21 | + |
| 22 | + |
| 23 | +### GHSA-q523-c695-h3hp - Stored HTML injection on time tracking |
| 24 | + |
| 25 | +An HTML injection vulnerability occurs in the time tracking function of OpenProject version 17.0.2. The application does not escape HTML tags, an attacker with administrator privileges can create a work package with the name containing the HTML tags and add it to the `Work package` section when creating time tracking. |
| 26 | + |
| 27 | + |
| 28 | + |
| 29 | +Responsibly disclosed by Researcher: Nguyen Truong Son ([truongson526@gmail.com](mailto:truongson526@gmail.com)) through the GitHub advisory. |
| 30 | + |
| 31 | + |
| 32 | + |
| 33 | +For more information, please see the [GitHub advisory #GHSA-q523-c695-h3hp](https://github.com/opf/openproject/security/advisories/GHSA-q523-c695-h3hp) |
| 34 | + |
| 35 | + |
| 36 | + |
| 37 | +### GHSA-x37c-hcg5-r5m7 - Command Injection on OpenProject repositories leads to Remote Code Execution |
| 38 | + |
| 39 | +An arbitrary file write vulnerability exists in OpenProject’s repository changes endpoint (`/projects/:project_id/repository/changes`) when rendering the “latest changes” view via `git log`. |
| 40 | + |
| 41 | + |
| 42 | + |
| 43 | +By supplying a specially crafted `rev` value (for example, `rev=--output=/tmp/poc.txt`), an attacker can inject `git log` command-line options. When OpenProject executes the SCM command, Git interprets the attacker-controlled `rev` as an option and writes the output to an attacker-chosen path. |
| 44 | + |
| 45 | + |
| 46 | + |
| 47 | +As a result, any user with the `:browse_repository` permission on the project can create or overwrite arbitrary files that the OpenProject process user is permitted to write. The written contents consist of `git log` output, but by crafting custom commits the attacker can still upload valid shell scripts, ultimately leading to RCE. The RCE lets the attacker create a reverse shell to the target host and view confidential files outside of OpenProject, such as `/etc/passwd`. |
| 48 | + |
| 49 | + |
| 50 | + |
| 51 | +This vulnerability was reported by user [sam91281](https://yeswehack.com/hunters/sam91281) as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission. |
| 52 | + |
| 53 | + |
| 54 | + |
| 55 | +For more information, please see the [GitHub advisory #GHSA-x37c-hcg5-r5m7](https://github.com/opf/openproject/security/advisories/GHSA-x37c-hcg5-r5m7) |
| 56 | + |
| 57 | + |
| 58 | +<!-- END CVE AUTOMATED SECTION --> |
| 59 | + |
| 60 | +<!--more--> |
| 61 | + |
| 62 | +## Bug fixes and changes |
| 63 | + |
| 64 | +<!-- Warning: Anything within the below lines will be automatically removed by the release script --> |
| 65 | +<!-- BEGIN AUTOMATED SECTION --> |
| 66 | + |
| 67 | + |
| 68 | +<!-- END AUTOMATED SECTION --> |
| 69 | +<!-- Warning: Anything above this line will be automatically removed by the release script --> |
0 commit comments