CVE-2023-31140

Name: CVE-2023-31140
Creator: NVD / NIST
Published: 2023-05-08T21:15:11.693+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.5/10EPSS 0.89%

Last modified Jun 17, 2026

CVE-2023-31140 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. OpenProject is open source project management software. Starting with version 7.4.0 and prior to version 12.5.4, when a user registers and confirms their first two-factor authentication (2FA) device for an account, existing logged in sessions for that user account are not terminated. EPSS estimates a 0.89% chance of exploitation in the next 30 days.

Description

OpenProject is open source project management software. Starting with version 7.4.0 and prior to version 12.5.4, when a user registers and confirms their first two-factor authentication (2FA) device for an account, existing logged in sessions for that user account are not terminated. Likewise, if an administrators creates a mobile phone 2FA device on behalf of a user, their existing sessions are not terminated. The issue has been resolved in OpenProject version 12.5.4 by actively terminating sessions of user accounts having registered and confirmed a 2FA device. As a workaround, users who register the first 2FA device on their account can manually log out to terminate all other active sessions. This is the default behavior of OpenProject but might be disabled through a configuration option. Double check that this option is not overridden if one plans to employ the workaround.

Metrics

CVSS 3.1

6.5/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS Probability

0.89%

54.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-613

Affected Software

Vendor	Product	Versions
Openproject	Openproject	>= 7.4.0, < 12.5.4

References

https://community.openproject.org/wp/48035Exploit
https://github.com/opf/openproject/pull/12508Patch
https://github.com/opf/openproject/security/advisories/GHSA-xfp9-qqfj-x28qMitigation, Vendor Advisory
https://www.openproject.org/docs/release-notes/12-5-4/Mitigation, Release Notes
https://community.openproject.org/wp/48035Exploit
https://github.com/opf/openproject/pull/12508Patch
https://github.com/opf/openproject/security/advisories/GHSA-xfp9-qqfj-x28qMitigation, Vendor Advisory
https://www.openproject.org/docs/release-notes/12-5-4/Mitigation, Release Notes

Timeline

Published: May 8, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-31140?

How severe is CVE-2023-31140?

CVE-2023-31140 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 0.89% probability of exploitation in the next 30 days.

How do I fix CVE-2023-31140?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-31140?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST