A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbitrary SQL commands via the id parameter. The attack can be performed unauthenticated if OpenProject is configured not to require authentication for API access.

  • Published Date: Monday 13th of May 2019 04:29:02 PM
  • Modified Date: Tuesday 14th of May 2019 09:44:25 AM
    • Network Access Vector: The attacker does not require local network access or local access.
    • Authentication Vector: Authentication is not required to access and exploit the vulnerability.
    • Complexity Vector: One instance of complexity is required to access and exploit the vulnerability.
    • Availability Impact: There is reduced performance or interruptions in resource availability.
    • Integrity Impact: Modification of some system files is posible.
    • Confidentiality Impact: There is considerable information disclosure.
    • CVSS Score: 6.8
    • Common Platform Enumeration (CPE) Dictionary
      • cpe:2.3:a:openproject:openproject:5.0.0
      • cpe:2.3:a:openproject:openproject:5.0.1
      • cpe:2.3:a:openproject:openproject:5.0.2
      • cpe:2.3:a:openproject:openproject:5.0.3
      • cpe:2.3:a:openproject:openproject:5.0.4
      • cpe:2.3:a:openproject:openproject:5.0.5
      • cpe:2.3:a:openproject:openproject:5.0.6
      • cpe:2.3:a:openproject:openproject:5.0.7
      • cpe:2.3:a:openproject:openproject:5.0.8
      • cpe:2.3:a:openproject:openproject:5.0.9
      • cpe:2.3:a:openproject:openproject:5.0.10
      • cpe:2.3:a:openproject:openproject:5.0.11
      • cpe:2.3:a:openproject:openproject:5.0.12
      • cpe:2.3:a:openproject:openproject:5.0.13
      • cpe:2.3:a:openproject:openproject:5.0.14
      • cpe:2.3:a:openproject:openproject:5.0.15
      • cpe:2.3:a:openproject:openproject:5.0.16
      • cpe:2.3:a:openproject:openproject:5.0.17
      • cpe:2.3:a:openproject:openproject:5.0.18
      • cpe:2.3:a:openproject:openproject:5.0.19
      • cpe:2.3:a:openproject:openproject:5.0.20
      • cpe:2.3:a:openproject:openproject:6.0.0
      • cpe:2.3:a:openproject:openproject:6.0.1
      • cpe:2.3:a:openproject:openproject:6.0.2
      • cpe:2.3:a:openproject:openproject:6.0.3
      • cpe:2.3:a:openproject:openproject:6.0.4
      • cpe:2.3:a:openproject:openproject:6.0.5
      • cpe:2.3:a:openproject:openproject:6.1.0
      • cpe:2.3:a:openproject:openproject:6.1.1
      • cpe:2.3:a:openproject:openproject:6.1.2
      • cpe:2.3:a:openproject:openproject:6.1.3
      • cpe:2.3:a:openproject:openproject:6.1.4
      • cpe:2.3:a:openproject:openproject:6.1.5
      • cpe:2.3:a:openproject:openproject:6.1.6
      • cpe:2.3:a:openproject:openproject:7.0.0
      • cpe:2.3:a:openproject:openproject:7.0.1
      • cpe:2.3:a:openproject:openproject:7.0.2
      • cpe:2.3:a:openproject:openproject:7.0.3
      • cpe:2.3:a:openproject:openproject:7.1.0
      • cpe:2.3:a:openproject:openproject:7.2.0
      • cpe:2.3:a:openproject:openproject:7.2.1
      • cpe:2.3:a:openproject:openproject:7.2.2
      • cpe:2.3:a:openproject:openproject:7.2.3
      • cpe:2.3:a:openproject:openproject:7.3.0
      • cpe:2.3:a:openproject:openproject:7.3.1
      • cpe:2.3:a:openproject:openproject:7.3.2
      • cpe:2.3:a:openproject:openproject:7.4.0
      • cpe:2.3:a:openproject:openproject:7.4.1
      • cpe:2.3:a:openproject:openproject:7.4.2
      • cpe:2.3:a:openproject:openproject:7.4.3
      • cpe:2.3:a:openproject:openproject:7.4.4
      • cpe:2.3:a:openproject:openproject:7.4.5
      • cpe:2.3:a:openproject:openproject:7.4.6
      • cpe:2.3:a:openproject:openproject:7.4.7
      • cpe:2.3:a:openproject:openproject:8.0
      • cpe:2.3:a:openproject:openproject:8.0.1
      • cpe:2.3:a:openproject:openproject:8.0.2
      • cpe:2.3:a:openproject:openproject:8.1.0
      • cpe:2.3:a:openproject:openproject:8.2.0
      • cpe:2.3:a:openproject:openproject:8.2.1
      • cpe:2.3:a:openproject:openproject:8.3.0
      • cpe:2.3:a:openproject:openproject:8.3.1
    • Reference:

    Download Mageni's Vulnerability Scanning Platform.

    No credit card is required to download the Free Edition. Register now.