Menu

]project-open[ Security Advisory: Remote Information Exploit

The ]po[ team has fixed a security hole that exhibits the list of project names together with the names of the project managers to any user who can access the system.

Versions Affected:
* Affected are all ]po[ installations with version V3.3 and higher.

Impact:
The bug allows attackers to retreive the names of all projects in the system, together with the name of the project manager and the start- and end-date of the project.
 It is not possible for the attacker to change any information.

Solution:
* Please update the intranet-reporting-tutorial package to the latest version. or uninstall this package.

Credits:
* Thanks to Pratik Gandhi for poingint out the issue

Vendor Information:

]project-open[ (http://www.project-open.com/) is a project and portfolio management system for companies and departments in the IT, consulting and building sectors, or any organization that runs projects as it's main business. The ]po[ architecture is designed for mission-critical applications with a rock-solid infrastructure and a sophisticated role-based permission system.

Posted by Frank Bergmann 2019-09-17 Labels: security exploit advisory

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.