CVE-2019-11600

Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 8.3.2

Description A SQL injection issue in the activities API allows a remote attacker to execute arbitrary SQL commands via the id parameter. This attack can be performed without authentication if OpenProject is configured to not require authentication for API access.

Recommendations For versions prior to 8.3.2, update to version 8.3.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the activities API or requiring authentication for API access to minimize the risk of exploitation. Avoid using the id parameter in the affected API endpoint until the issue is resolved.