A reflected XSS vulnerability via a POST request to /tool/ack.php affecting all ProjectOr versions up to v11.0.2 (unpatched)
It was possible to bypass the very basic and incomplete security measure (detection of the <script> tag) that exists in the checkValidHtmlText() function of the /model/Security.php file of the solution.
- 30-10-2023: Vulnerability identified during a client pentest