RSS   Vulnerabilities for 'Openproject'   RSS

2019-05-13
 
CVE-2019-11600

CWE-89
 

 
A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbitrary SQL commands via the id parameter. The attack can be performed unauthenticated if OpenProject is configured not to require authentication for API access.

 
2017-07-26
 
CVE-2017-11667

 

 
OpenProject before 6.1.6 and 7.x before 7.0.3 mishandles session expiry, which allows remote attackers to perform APIv3 requests indefinitely by leveraging a hijacked session.

 


Copyright 2019, cxsecurity.com

 

Back to Top