CVE-2019-11600

HIGH

OpenProject 5.0.0-8.3.1 - SQL Injection via Activities API ID Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-11600. PoCs published by SEC Consult.

AI-analyzed exploit summary This is a security advisory detailing an unauthenticated SQL injection vulnerability in OpenProject's activities API. The PoC demonstrates a blind SQL injection using a time-based delay via PG_SLEEP.

Description

A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbitrary SQL commands via the id parameter. The attack can be performed unauthenticated if OpenProject is configured not to require authentication for API access.

Exploits (1)

exploitdb WRITEUP VERIFIED
by SEC Consult · textwebappsphp
https://www.exploit-db.com/exploits/46838

This is a security advisory detailing an unauthenticated SQL injection vulnerability in OpenProject's activities API. The PoC demonstrates a blind SQL injection using a time-based delay via PG_SLEEP.

Classification
Writeup 100%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: OpenProject 5.0.0 - 8.3.1
No auth needed
Prerequisites: OpenProject instance with API access not requiring authentication
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2019/May/7
Exploit, Issue Tracking, Mailing List, Third Party Advisory mailing-list x_refsource_bugtraq
https://seclists.org/bugtraq/2019/May/22
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/152806/OpenProject-8.3.1-SQL-Injection.html

Scores

CVSS v3 8.1
EPSS 0.7996
EPSS Percentile 99.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
openproject/openproject 5.0.0 - 8.3.2
Published May 13, 2019
Tracked Since Feb 18, 2026