OpenProject is the leading open source project management software.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 
openproject/docs/release-notes/8-3-2
Oliver Günther e1c642f46e
Move help into docs
5 years ago
..
README.md

README.md

title sidebar_navigation release_version release_date
OpenProject 8.3.2 [{title 8.3.2}] 8.3.2 2019-04-30

OpenProject 8.3.2

We released OpenProject 8.3.2.
The release contains a security related fix and we urge updating to the newest version.

 

CVE-2019-11600

A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbitrary SQL commands via the id parameter. The attack can be performed unauthenticated if OpenProject is configured not to require authentication for API access.  This vulnerability has been assigned the CVE identifier CVE-2019-11600.

Versions Affected: 5.0.0 – 8.3.1
Not affected: Versions < 5.0.0
Fixed Versions: 8.3.2, 9.0.0

For the full advisory and patches for older unsupported versions, please see this post. For our statement on security and further information on how to responsible disclose security related issues to us, please see our statement on security.

Thanks to Thanaphon Soo from the SEC Consult Vulnerability Lab for identifying and responsibly disclosing the identified issues.