Skip to main content


May 14, 2019 Vulnerability RPD-3849: ECT Provider remote code execution



May 14, 2019 Vulnerability RPD-3849: ECT Provider remote code execution


On February 2019, OutSystems became aware of a vulnerability in the ECT Provider platform component. Using the CVSS scoring system, OutSystems has assessed the impact and risk of this vulnerability for cloud and on-premises platform deployments across all supported stacks and classified it accordingly using the CVSS 3.0 scoring system.

The information in this communication will allow you to ascertain the level of exposure to your systems and determine how you should proceed to mitigate the threat.

Technology Stacks

This vulnerability affects all supported Platform Server stacks.

Vulnerability Risk

Base Score: 8.1 (High)

Vector String: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

How to Fix On-Premises Installations

OutSystems issued new versions of the Platform that address this vulnerability.

OutSystems 10

This vulnerability is fixed for Platform Server version 10.0.1005.2 and all subsequent versions.

For OutSystems PaaS (Cloud) customers we’ve applied the security fix for 10.0.1005.1 and all subsequent versions.

OutSystems 11

The vulnerability is fixed for Platform Server version Release Jan.2019 CP2 and all subsequent versions.

For OutSystems PaaS (Cloud) customers we've applied the security fix to all OutSystems 11 versions.

All customers who have yet to update their platform instances are strongly encouraged to do so.

Workaround for On-Premises Customers

A Platform Server upgrade is strongly advised. If you do not have the opportunity to upgrade, we advise you to disable the ECT Provider component for all eSpaces.

OutSystems Cloud

OutSystems notified cloud customers and updated or applied a patch to all supported cloud infrastructures.

The environments were patched without the need for a platform server version update. 

More About This Vulnerability

This vulnerability is in the ECT Provider component. An unauthenticated attacker could use the endpoint provided by this component to inject arbitrary JavaScript code, which could then execute when an ECT Provider user accesses the ECT Provider back-office in the App Feedback application via a web browser. In some cases, the injected code runs with high privileges on the OutSystems platform.

Vulnerability reported by Mina Edwar.