A security review for ProjectForge was done by a team of Micromata, Germany. Many thanks to Sergej Michel and Peter Baus (great job)!
Security release: Please update as soon as is practicable! Some vulnerabilities were discovered (a logged-in-user is always required):
Security: Cross-Site-Request-Forgery (CSRF): an attacker may send manipulated html-pages to a logged-in-user.
Security: XSS of JSON-Strings in autocompletion form: an attacker must be a logged-in-user for manipulating autocompletion strings in the data-base.
Security: Salt and pepper for passwords: an attacker with access to a data-base dump or SHA256 hashed passwords of ProjectForge user's may compromise weak passwords by brute-force attacks or with a rainbow-tables.
Security: Improved mechanism for avoiding brute-force-attacks on user/password combinations (by username as well as by IP), rest-calls are now included.
Improved LDAP-support (for ProjectForge as LDAP-master).
Some minor bugfixes and features are included, as well.