references/openproject
1
0
Fork 0
mirror of https://github.com/opf/openproject.git synced 2026-06-13 19:20:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update security fixes

Browse Source
This commit is contained in:
Oliver Günther
2026-06-10 07:53:00 +02:00
parent 1dc988220a
commit 44ebb47699
1 changed files with 17 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/release-notes/17-5-0/README.md
+17
View File
@@ -164,6 +164,23 @@ We'd like to thank GitHub user [@aslantugay](https://github.com/aslantugay) for
<!-- BEGIN SECURITY FIXES AUTOMATED SECTION -->
## Security fixes
### CVE-2026-52779 - Cross-project authorization bypass allows deleting public Calendar and Team Planner queries from unauthorized projects
A cross-project IDOR / authorization context confusion in the Calendar and Team Planner modules allows a user with management permissions in one project to delete public Calendar or Team Planner Queries from another project where they do not have the corresponding management permissions.
This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
For more information, please see the [GitHub advisory #GHSA-jrx5-px3f-vfq4](https://github.com/opf/openproject/security/advisories/GHSA-jrx5-px3f-vfq4)
<!-- END SECURITY FIXES AUTOMATED SECTION -->
<!--more-->