]project-open[ - Project Server / News: Critical: ]project-open[ Security Advisory: SQL Injection Vulnerability for V3.3

Critical: ]project-open[ Security Advisory: SQL Injection Vulnerability for V3.3 - V5.0.3

https://packetstormsecurity.com/files/157410/Project-Open-CMS-5.0.3-Cross-Site-Scripting-SQL-Injection.html

This is a short notice thatan independen security researcher has found:

SQL Injection vulnerabilities - this is critical and
XSS (Cross-Site Scripting) vulnerabilites - this is also critical

We confirm this issues in general.
The attacks can be executed remotely and require that attacker is a registered user.
Probably all versions of ]po[ are affected, from 3.3 to 5.0.3.

We will fix these issues and let you know about it ASAP.

Bests
Frank

Posted by 2020-04-29

Frank Bergmann - 2020-05-01

Hi,

We have developed a patch for the most serious SQL injection vulnerability found in the report.
Please contact info@project-open.com for details.

We would consider the other (non-persistent XSS) vulnerability as not that critical, because:
1. Quite some knowledge is required to create a suitable URLs,
2. most ]po[ systems run locally and
3. an attacker would have to make the victim click on a forged link.

In order to consistently fix the XSS issues, we would have to update the OpenACS core version to 5.10 and to perform a considerable of changes in the ]po[ code with the possibility of errors.

So we have decided to speed-up the development of ]po[ V5.1 with focus only on these issues.

Best regards
Frank

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

]project-open[ - Project Server News

Enterprise project management replacement for Project Server

Critical: ]project-open[ Security Advisory: SQL Injection Vulnerability for V3.3 - V5.0.3