OpenProject is the leading open source project management software.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 
openproject/docs/release-notes/9-0-4/README.md

930 B

title sidebar_navigation release_version release_date
OpenProject 9.0.3 [{title 9.0.3}] 9.0.3 2019-07-23

[CVE-2019-17092] XSS injection vulnerability in projects listing in versions before 9.0.4, 10.0.2

An XSS vulnerability in project list in OpenProject before 9.0.4 and 10.x before 10.0.2 allows remote attackers to inject arbitrary web script or HTML via the sortBy parameter because error messages are mishandled.

This vulnerability has been assigned the CVE identifier CVE-2019-17092.

Versions Affected: Versions <= 9.0.3, 10.0.1 Fixed Versions: 9.0.4, 10.0.2

Credits

Thanks to David Haintz from the SEC Consult Vulnerability Lab (https://www.sec-consult.com) for identifying and responsibly disclosing the identified issues.

Contributions

Thanks to David Haintz from SEC Consult Vulnerability Lab for identifying and responsibly disclosing the identified issues.