An unscoped loading of Project Storages lead to users with the Manage Files in Project permission in one project, to access project storages in other projects. This would give information about the storage that they were not supposed to see.
Additionally, for storages with automatic project folder management, when a deletion of the project folder was triggered, the deletion in the file storage was triggered before the permission check was executed. Together with the unscoped loading above, this allowed users with Manage Files in Project permission in one project, to delete automatically managed folders in file storages that they did not have access to.
Credits
This vulnerability was reported by user cavid as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.
An unscoped loading of Project Storages lead to users with the Manage Files in Project permission in one project, to access project storages in other projects. This would give information about the storage that they were not supposed to see.
Additionally, for storages with automatic project folder management, when a deletion of the project folder was triggered, the deletion in the file storage was triggered before the permission check was executed. Together with the unscoped loading above, this allowed users with Manage Files in Project permission in one project, to delete automatically managed folders in file storages that they did not have access to.
Credits
This vulnerability was reported by user cavid as part of the YesWeHack.com OpenProject Bug Bounty program, sponsored by the European Commission.