{"api_version":"1","generated_at":"2026-04-23T08:39:29+00:00","cve":"CVE-2019-17092","urls":{"html":"https://cve.report/CVE-2019-17092","api":"https://cve.report/api/cve/CVE-2019-17092.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2019-17092","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2019-17092"},"summary":{"title":"CVE-2019-17092","description":"An XSS vulnerability in project list in OpenProject before 9.0.4 and 10.x before 10.0.2 allows remote attackers to inject arbitrary web script or HTML via the sortBy parameter because error messages are mishandled.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2019-10-09 19:15:00","updated_at":"2023-11-07 03:06:00"},"problem_types":["CWE-79"],"metrics":[],"references":[{"url":"http://seclists.org/fulldisclosure/2019/Oct/29","name":"20191014 SEC Consult SA-20191014-0 :: Reflected XSS vulnerability in OpenProject","refsource":"FULLDISC","tags":[],"title":"Full Disclosure: SEC Consult SA-20191014-0 :: Reflected XSS vulnerability in OpenProject","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://groups.google.com/forum/#%21topic/openproject-security/tEsx0UXWxXA","name":"https://groups.google.com/forum/#%21topic/openproject-security/tEsx0UXWxXA","refsource":"","tags":[],"title":"Google Groups","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://groups.google.com/forum/#!topic/openproject-security/tEsx0UXWxXA","name":"https://groups.google.com/forum/#!topic/openproject-security/tEsx0UXWxXA","refsource":"MISC","tags":["Patch","Third Party Advisory"],"title":"Google Groups","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://packetstormsecurity.com/files/154851/OpenProject-10.0.1-9.0.3-Cross-Site-Scripting.html","name":"http://packetstormsecurity.com/files/154851/OpenProject-10.0.1-9.0.3-Cross-Site-Scripting.html","refsource":"MISC","tags":[],"title":"OpenProject 10.0.1 / 9.0.3 Cross Site Scripting ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.openproject.org/release-notes/openproject-9-0-4/","name":"https://www.openproject.org/release-notes/openproject-9-0-4/","refsource":"CONFIRM","tags":["Release Notes","Vendor Advisory"],"title":"OpenProject 9.0.4 » OpenProject.org","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://seclists.org/bugtraq/2019/Oct/19","name":"20191014 SEC Consult SA-20191014-0 :: Reflected XSS vulnerability in OpenProject","refsource":"BUGTRAQ","tags":[],"title":"Bugtraq: SEC Consult SA-20191014-0 :: Reflected XSS vulnerability in OpenProject","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.openproject.org/release-notes/openproject-10-0-2/","name":"https://www.openproject.org/release-notes/openproject-10-0-2/","refsource":"CONFIRM","tags":["Release Notes","Vendor Advisory"],"title":"OpenProject 10.0.2 » OpenProject.org","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2019-17092","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-17092","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2019","cve_id":"17092","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"openproject","cpe5":"openproject","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"17092","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"openproject","cpe5":"openproject","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2019-17092","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"An XSS vulnerability in project list in OpenProject before 9.0.4 and 10.x before 10.0.2 allows remote attackers to inject arbitrary web script or HTML via the sortBy parameter because error messages are mishandled."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"refsource":"CONFIRM","name":"https://www.openproject.org/release-notes/openproject-10-0-2/","url":"https://www.openproject.org/release-notes/openproject-10-0-2/"},{"refsource":"CONFIRM","name":"https://www.openproject.org/release-notes/openproject-9-0-4/","url":"https://www.openproject.org/release-notes/openproject-9-0-4/"},{"refsource":"MISC","name":"https://groups.google.com/forum/#!topic/openproject-security/tEsx0UXWxXA","url":"https://groups.google.com/forum/#!topic/openproject-security/tEsx0UXWxXA"},{"refsource":"FULLDISC","name":"20191014 SEC Consult SA-20191014-0 :: Reflected XSS vulnerability in OpenProject","url":"http://seclists.org/fulldisclosure/2019/Oct/29"},{"refsource":"BUGTRAQ","name":"20191014 SEC Consult SA-20191014-0 :: Reflected XSS vulnerability in OpenProject","url":"https://seclists.org/bugtraq/2019/Oct/19"},{"refsource":"MISC","name":"http://packetstormsecurity.com/files/154851/OpenProject-10.0.1-9.0.3-Cross-Site-Scripting.html","url":"http://packetstormsecurity.com/files/154851/OpenProject-10.0.1-9.0.3-Cross-Site-Scripting.html"}]}},"nvd":{"publishedDate":"2019-10-09 19:15:00","lastModifiedDate":"2023-11-07 03:06:00","problem_types":["CWE-79"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":2.7},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*","versionStartIncluding":"10.0.0","versionEndExcluding":"10.0.2","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*","versionEndExcluding":"9.0.4","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2019","CveId":"17092","Ordinal":"156864","Title":"CVE-2019-17092","CVE":"CVE-2019-17092","Year":"2019"},"notes":[{"CveYear":"2019","CveId":"17092","Ordinal":"1","NoteData":"An XSS vulnerability in project list in OpenProject before 9.0.4 and 10.x before 10.0.2 allows remote attackers to inject arbitrary web script or HTML via the sortBy parameter because error messages are mishandled.","Type":"Description","Title":null},{"CveYear":"2019","CveId":"17092","Ordinal":"2","NoteData":"2019-10-09","Type":"Other","Title":"Published"},{"CveYear":"2019","CveId":"17092","Ordinal":"3","NoteData":"2019-10-14","Type":"Other","Title":"Modified"}]}}}