Intrusion Prevention

OPF.OpenProject.Activities.API.SQL.Injection

Description

This indicates an attack attempt to exploit a SQL Injection Vulnerability in OPF OpenProject.
A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted request to the Activities API endpoint. Successful exploitation results in the execution of arbitrary SQL code against the underlying database.

Affected Products

OPF OpenProject 5.0.0 - 8.3.1

Impact

System Compromise: Remote attackers can add, view, delete or modify data in the database of the affected application

Recommended Actions

Apply the most recent upgrade or patch from the vendor.
https://groups.google.com/forum/#!msg/openproject-security/XlucAJMxmzM/hESpOaFVAwAJ

CVE References

CVE-2019-11600