Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbitrary SQL commands via the id parameter. The attack can be performed unauthenticated if OpenProject is configured not to require authentication for API access.
AnalysisAI
A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbitrary SQL commands via the id parameter. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbitrary SQL commands via the id parameter. The attack can be performed unauthenticated if OpenProject is configured not to require authentication for API access. Affected products include: Openproject. Version information: before 8.3.2.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.
More in Openproject
View allOpenProject is web-based project management software. Rated high severity (CVSS 7.5), this vulnerability is remotely exp
OpenProject is open source project management software. Rated medium severity (CVSS 6.5), this vulnerability is remotely
Authenticated remote code execution affects the official openproject/openproject Docker image, which ships with a hardco
Cross-project folder hijacking in OpenProject before 17.3.3 and 17.4.1 lets a project-admin abuse an insecure direct obj
SQL injection in OpenProject's baseline-comparison (timestamps) functionality lets an authenticated, low-privileged user
SQL injection in OpenProject's reporting module allows authenticated attackers to execute arbitrary database queries via
OpenProject has a CVSS 9.9 command injection vulnerability allowing authenticated users to execute OS commands on the pr
Remote code execution in OpenProject before 17.3.3 and 17.4.1 arises from cache store poisoning, allowing an attacker wi
OpenProject, a web-based project management platform, contains a critical SQL injection vulnerability in versions prior
OpenProject (before 16.6.4) has a local file read vulnerability through SVG-based ImageMagick exploitation in the PDF ex
OpenProject's Repositories module contains a stored cross-site scripting (XSS) vulnerability that occurs when displaying
Token decryption in OpenProject 17.0 allows authenticated attackers to intercept and decrypt 24-hour authentication toke
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today