T. Soo

**Name of the Vulnerable Software and Affected Versions** OpenProject versions prior to 8.3.2 **Description** A SQL injection issue in the activities API allows a remote attacker to execute arbitrary SQL commands via the `id` parameter. This attack can be performed without authentication if OpenProject is configured to not require authentication for API access. **Recommendations** For versions prior to 8.3.2, update to version 8.3.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the activities API or requiring authentication for API access to minimize the risk of exploitation. Avoid using the `id` parameter in the affected API endpoint until the issue is resolved.