SCHEDULE A PERSONAL DEMO with us and learn how to improve project collaboration with OpenProject.

Blog

News, Ideen, Tipps & neuste Updates rund um OpenProject

Blog Releases 

OpenProject 8.3.2 released

OpenProject 8.3.2

We released OpenProject 8.3.2.
The release contains a security related fix and we urge updating to the newest version immediately.

CVE-2019-11600

A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbitrary SQL commands via the id parameter. The attack can be performed unauthenticated if OpenProject is configured not to require authentication for API access.  This vulnerability has been assigned the CVE identifier CVE-2019-11600.

Versions Affected: 5.0.0 – 8.3.1
Not affected: Versions < 5.0.0
Fixed Versions: 8.3.2, 9.0.0

For the full advisory and patches for older unsupported versions, please see this post. For our statement on security and further information on how to responsible disclose security related issues to us, please see our statement on security.

Thanks to Thanaphon Soo from the SEC Consult Vulnerability Lab for identifying and responsibly disclosing the identified issues.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.