|
|
|||
| Rule General Information |
|---|
| Release Date: | 2020-01-17 | |
| Rule Name: | OpenProject 'sortBy' query Reflected Cross Site Scripting Vulnerability (CVE-2019-17092) | |
| Severity: | ||
| CVE ID: | ||
| Rule Protection Details |
|---|
| Description: | An XSS vulnerability in project list in OpenProject before 9.0.4 and 10.x before 10.0.2 allows remote attackers to inject arbitrary web script or HTML via the sortBy parameter because error messages are mishandled. | |
| Impact: | An attacker can conduct a cross-site scripting attack to inject malicious client-side scripts into web pages viewed by other users, or to bypass access controls such as the same-origin policy, if affected version is installed. | |
| Affected OS: | Windows, Others | |
| Reference: | http://packetstormsecurity.com/files/154851/OpenProject-10.0.1-9.0.3-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2019/Oct/29 https://groups.google.com/forum/#!topic/openproject-security/tEsx0UXWxXA https://seclists.org/bugtraq/2019/Oct/19 |
|
| Solutions |
|---|
| The vendors have released upgrade patches to fix vulnerabilities, please visit: https://www.openproject.org |