Zero-Day Advisory
Fortinet Discovers OpenProject Wiki Tabnabbing Vulnerability
Summary
Fortinet's FortiGuard Labs has discovered a Tabnabbing Vulnerability in OpenProject.
OpenProject is a web-based project management system for location-independent team collaboration.
OpenProject is susceptible to Tabnabbing vulnerability. The issue occurs when the server allows attacker input "target=_blank" to HTML anchor tag without rel noopener attribute which can result in attacker controlling victim's browser.
Solutions
Users should apply the solution provided by OpenProject
Timeline
Fortinet reported the vulnerability to OpenProject on 29 November, 2019.
OpenProject confirmed the vulnerability on 5 December, 2019.
OpenProject released patch for the vulnerability on 11 December, 2019.
References
Acknowledgement
This vulnerability was discovered by Nguyen Thanh Nguyen of Fortinet's FortiGuard Labs.