TheDude
/
openproject
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
OpenProject is the leading open source project management software.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
61974 Commits
139 Branches
203 Tags
1.2 GiB
 
 
 
 
 
 
Tag: Branch: Tree: 9ee95161f6
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '9ee95161f6'
${ noResults }
openproject/docs/release-notes/9-0-4/README.md

23 lines
931 B
Raw Blame History

---
title: OpenProject 9.0.4
sidebar_navigation:
title: 9.0.4
release_version: 9.0.4
release_date: 2019-07-23
---
# [CVE-2019-17092] XSS injection vulnerability in projects listing in versions before 9.0.4, 10.0.2
An XSS vulnerability in project list in OpenProject before 9.0.4 and 10.x before 10.0.2 allows remote attackers to inject arbitrary web script or HTML via the sortBy parameter because error messages are mishandled.
This vulnerability has been assigned the CVE identifier CVE-2019-17092.
Versions Affected: Versions <= 9.0.3, 10.0.1
Fixed Versions: 9.0.4, 10.0.2
## Credits
Thanks to David Haintz from the SEC Consult Vulnerability Lab (https://www.sec-consult.com) for identifying and responsibly disclosing the identified issues.
#### Contributions
Thanks to David Haintz from [SEC Consult Vulnerability Lab](https://www.sec-consult.com/) for identifying and responsibly disclosing the identified issues.