CVE-2019-11600
OpenProject 5.0.0 - 8.3.1 - SQL Injection
Severity Score
8.1
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
4
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbitrary SQL commands via the id parameter. The attack can be performed unauthenticated if OpenProject is configured not to require authentication for API access.
Una vulnerabilidad de inyección SQL en la API de actividades en OpenProject antes de 8.3.2 permite a un atacante remoto ejecutar comandos SQL arbitrarios a través del parámetro id. El ataque se puede realizar sin autenticar si OpenProject está configurado para no requerir autenticación para el acceso a la API.
OpenProject versions 5.0.0 through 8.3.1 suffer from a remote SQL injection vulnerability.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2019-04-30 CVE Reserved
- 2019-05-10 CVE Published
- 2019-05-13 First Exploit
- 2024-08-04 CVE Updated
- 2024-08-21 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CAPEC
References (6)
| URL | Tag | Source |
|---|---|---|
| https://groups.google.com/forum/#%21msg/openproject-security/XlucAJMxmzM/hESpOaFVAwAJ | X_refsource_misc |
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/46838 | 2019-05-13 | |
| http://packetstormsecurity.com/files/152806/OpenProject-8.3.1-SQL-Injection.html | 2024-08-04 | |
| http://seclists.org/fulldisclosure/2019/May/7 | 2024-08-04 | |
| https://seclists.org/bugtraq/2019/May/22 | 2024-08-04 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.openproject.org/release-notes/openproject-8-3-2 | 2023-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Openproject Search vendor "Openproject" | Openproject Search vendor "Openproject" for product "Openproject" | >= 5.0.0 < 8.3.2 Search vendor "Openproject" for product "Openproject" and version " >= 5.0.0 < 8.3.2" | - |
Affected
| ||||||