CVE-2019-11600

HIGH

OpenProject <8.3.2 - SQL Injection

Title source: llm

Description

A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbitrary SQL commands via the id parameter. The attack can be performed unauthenticated if OpenProject is configured not to require authentication for API access.

Exploits (1)

exploitdb WRITEUP VERIFIED

by SEC Consult · textwebappsphp

https://www.exploit-db.com/exploits/46838

View Code ZIP pw:eip

References (5)

[Mailing List] https://groups.google.com/forum/#%21msg/openproject-security/XlucAJMxmzM/hESpOaFVAwAJ

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/152806/OpenProject-8.3.1-SQL-Injection.html

[Exploit, Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2019/May/7

[Exploit, Issue Tracking, Mailing List, Third Party Advisory] https://seclists.org/bugtraq/2019/May/22

[Vendor Advisory] https://www.openproject.org/release-notes/openproject-8-3-2/

Scores

CVSS v3 8.1

EPSS 0.7726

EPSS Percentile 99.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

openproject/openproject 5.0.0 - 8.3.2

Published May 13, 2019

Tracked Since Feb 18, 2026