OpenProject 8.3.2
We released OpenProject 8.3.2.
The release contains a security related fix and we urge updating to the
newest version.
CVE-2019-11600
A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbitrary SQL commands via the id parameter. The attack can be performed unauthenticated if OpenProject is configured not to require authentication for API access. This vulnerability has been assigned the CVE identifier CVE-2019-11600.
Versions Affected: 5.0.0 – 8.3.1
Not affected: Versions < 5.0.0
Fixed Versions: 8.3.2, 9.0.0
For the full advisory and patches for older unsupported versions, please see this post. For our statement on security and further information on how to responsible disclose security related issues to us, please see our statement on security.
Thanks to Thanaphon Soo from the SEC Consult Vulnerability Lab for identifying and responsibly disclosing the identified issues.
Help and feedback
If you did not find what you were looking for
If you need help from the community or want to support others
If you are eligible for professional support and have more questions
REQUEST SUPPORT
If you find an easily fixable error or need for improvement in the documentation for the stable release
If you would like to suggest bigger updates or improvements to this documentation
If you want to contribute to translate this documentation to another language
If there's something you don't like or understand about this feature
If you want to propose a new feature that OpenProject does not offer yet
To further help OpenProject to shape and test new features
To view OpenProject premium features and pricing
If you want to try all premium features in the OpenProject Cloud Edition 14 days for free
If you want to try all premium features in your on premise Community installation 14 days for free