CVE-2019-11600

CVE Database · CVE-2019-11600

CVE-2019-11600

· N/AModified

CVSS v3.1

N/A

EPSS

79.96%

Published

May 13, 2019

Modified

Nov 21, 2024

Public PoC / Exploit (2)

All weaponized →

Exploit-DBOpenProject 5.0.0 - 8.3.1 - SQL Injection TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbitrary SQL commands via the id parameter. The attack can be performed unauthenticated if OpenProject is configured not to require authentication for API access.

Weaknesses (CWE)

CWE-89

Affected Products (1)

openproject · openproject (up to 8.3.2)vulnerable

References (10)

http://packetstormsecurity.com/files/152806/OpenProject-8.3.1-SQL-Injection.html

ExploitThird Party AdvisoryVDB Entry

http://seclists.org/fulldisclosure/2019/May/7

ExploitMailing ListThird Party Advisory

https://groups.google.com/forum/#%21msg/openproject-security/XlucAJMxmzM/hESpOaFVAwAJ

https://seclists.org/bugtraq/2019/May/22

ExploitIssue TrackingMailing List

https://www.openproject.org/release-notes/openproject-8-3-2/

Vendor Advisory

http://packetstormsecurity.com/files/152806/OpenProject-8.3.1-SQL-Injection.html

KEV Catalog EPSS Scores Vendors All CVEs