OpenProject before 8.3.2 SQL Injection Vulnerability

Summary

A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbitrary SQL commands via the id parameter. The attack can be performed unauthenticated if OpenProject is configured not to require authentication for API access.

Credit:

The information has been provided by T. Soo.
The original article can be found at: https://www.openproject.org/release-notes/openproject-8-3-2/


Details

Openproject  is prone to a SQL injection vulnerability.This allows remote attackers to execute arbitrary SQL commands via certain vulnerable vectors
Vulnerable Systems:

  • Openproject 5.0.0
  • Openproject 5.0.1
  • Openproject 5.0.2
  • Openproject 5.0.3
  • Openproject 5.0.4
  • Openproject 5.0.5
  • Openproject 5.0.6
  • Openproject 5.0.7
  • Openproject 5.0.8
  • Openproject 5.0.9
  • Openproject 5.0.10
  • Openproject 5.0.11
  • Openproject 5.0.12
  • Openproject 5.0.13
  • Openproject 5.0.14
  • Openproject 5.0.15
  • Openproject 5.0.16
  • Openproject 5.0.17
  • Openproject 5.0.18
  • Openproject 5.0.19
  • Openproject 5.0.20
  • Openproject 6.0.0
  • Openproject 6.0.1
  • Openproject 6.0.2
  • Openproject 6.0.3
  • Openproject 6.0.4
  • Openproject 6.0.5
  • Openproject 6.1.0
  • Openproject 6.1.1
  • Openproject 6.1.2
  • Openproject 6.1.3
  • Openproject 6.1.4
  • Openproject 6.1.5
  • Openproject 6.1.6
  • Openproject 7.0.0
  • Openproject 7.0.1
  • Openproject 7.0.2
  • Openproject 7.0.3
  • Openproject 7.1.0
  • Openproject 7.2.0
  • Openproject 7.2.1
  • Openproject 7.2.2
  • Openproject 7.2.3
  • Openproject 7.3.0
  • Openproject 7.3.1
  • Openproject 7.3.2
  • Openproject 7.4.0
  • Openproject 7.4.1
  • Openproject 7.4.2
  • Openproject 7.4.3
  • Openproject 7.4.4
  • Openproject 7.4.5
  • Openproject 7.4.6
  • Openproject 7.4.7
  • Openproject 8.0
  • Openproject 8.0.1
  • Openproject 8.0.2
  • Openproject 8.1.0
  • Openproject 8.2.0
  • Openproject 8.2.1
  • Openproject 8.3.0
  • Openproject 8.3.1

CVE Information:
CVE-2019-11600

Disclosure Timeline:
Publish Date:05/13/2019