CVE-2019-17092
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2019-17092
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-17092.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2019-17092
- Published
- 2019-10-09T19:15:13Z
- Modified
- 2025-01-14T07:53:26.038771Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
An XSS vulnerability in project list in OpenProject before 9.0.4 and 10.x before 10.0.2 allows remote attackers to inject arbitrary web script or HTML via the sortBy parameter because error messages are mishandled.
- References
-
- https://www.openproject.org/release-notes/openproject-10-0-2/
- https://www.openproject.org/release-notes/openproject-9-0-4/
- http://packetstormsecurity.com/files/154851/OpenProject-10.0.1-9.0.3-Cross-Site-Scripting.html
- http://seclists.org/fulldisclosure/2019/Oct/29
- https://groups.google.com/forum/#%21topic/openproject-security/tEsx0UXWxXA
- https://seclists.org/bugtraq/2019/Oct/19
Affected packages
Git / github.com/opf/openproject
Affected ranges
- Type
- GIT
- Repo
- https://github.com/opf/openproject
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
2.*
2.4.0
release/3.*
release/3.0.0
Other
sprint/2014_08
sprint/2014_09
sprint/2014_10
sprint/2014_11
sprint/2014_12
sprint/2014_13
sprint/2014_16
sprint/2014_18
sprint/2015_01
sprint/2015_02
sprint/2015_03
sprint/2015_04
v3.*
v3.0.0
v3.0.1
v3.0.11
v3.0.12
v3.0.13
v3.0.8
v4.*
v4.0.0
v4.0.1
v4.0.10
v4.0.11
v4.0.12
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.0.6
v4.0.7
v4.0.8
v4.0.9
v4.1.0
v4.1.0-beta
v4.1.1
v4.1.2
v4.1.3
v4.1.4
v4.2.0
v4.2.1
v4.2.2
v4.2.3
v4.2.4
v4.2.5
v4.2.6
v4.2.7
v4.2.8
v4.2.9
v5.*
v5.0.0
v5.0.1
v5.0.10
v5.0.2
v5.0.3
v5.0.4
v5.0.5
v5.0.6
v5.0.7
v5.0.8
v5.0.9
v9.*
v9.0.0
v9.0.0-pre
v9.0.1
v9.0.2
v9.0.2-pre
v9.0.3