OpenProject version 17.3.2 and earlier, and 17.4.0 and earlier, contain a stored cross‑site scripting flaw where the HTML sanitizer allows <macro> elements to carry unrestricted data-* attributes. By injecting a data-controller="poll‑for‑changes" attribute into the description of a work package, an attacker can cause Stimulus.js to mount a controller that fetches an attacker‑supplied attachment and passes it to renderStreamMessage(), which executes arbitrary Turbo Stream actions—including redirect_to—inside every authenticated victim’s browser session. The result is a client‑side redirect to an attacker‑controlled server, effectively turning the vulnerability into an information‑disclosure or phishing vector.

Affected product: OpenProject, a web‑based project management platform from opf. Users running any OpenProject release older than 17.3.3 or 17.4.1 are vulnerable. All earlier patch levels up to 17.3.2 and 17.4.0 should be considered affected.

The vulnerability scores 6 scale, indicating medium severity. EPSS data is not available, and the issue is not listed in the CISA KEV catalog. An attacker can exploit the flaw by submitting a malicious description through the /api/v3/projects/{project}/work_packages endpoint, which likely requires authenticated credentials but does not require privileged access beyond the ability to modify a work package. Each vulnerable browser session will then execute the injected Turbo Stream actions, leading to automatic redirects. Given the medium score and lack of broad exploitation signals, the risk is moderate; however, the client‑side nature means that all users who view malicious content will be affected.