Skip to main content









Vulnerability RDEV-2256

  • Edit
    Collaborate with us
    Edit this page on GitHub
  • Overview

    OutSystems became aware of a vulnerability that, if exploited, may allow an attacker to compromise the confidentiality, integrity, and availability of the end user data. OutSystems doesn't have any indication or reason to believe that this vulnerability has been exploited in the wild.

    Vulnerability risk

    Base Score: 8.3 (High)

    Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N


    To understand the phases involved in the process, how, and when we communicate, check this article. This vulnerability is currently on the embargo phase.

    • Embargo phase: This vulnerability was first communicated to all customers on October 16, 2020.
    • Public disclosure: Full details on this vulnerability were disclosed on April 13, 2021.

    Vulnerability details

    This vulnerability resides on OutSystems Platform Server and consists on two APIs which allowed unauthorized access and modification of user data.

    Technology stacks and affected versions

    This vulnerability affects a limited subset of Platform Server 11 and LifeTime management console versions.

    Platform Server

    • Release Oct.2019
    • Release Oct.2019 CP1
    • Release Oct.2019 CP2
    • Release Oct.2019 CP3
    • Release Oct.2019 CP6
    • 11.7.2
    • 11.7.3

    LifeTime management console

    • Release Dec.2019
    • 11.4.2
    • 11.5.0
    • 11.5.2
    • 11.5.3

    Protecting your OutSystems installation

    The necessary actions to protect against this vulnerability may differ depending on the deployment model (OutSystems cloud or self managed) and the version. Please check the following sections for the action that applies to your environments.

    OutSystems Cloud

    OutSystems will apply a hotfix targeted at the specific version of each affected environment. The hotfix won't require an update of the Platform Server version but it requires downtime. All customers already received a schedule for a maintenance operation between October 19 and November 22, 2020 that includes the period of downtime for each environment.

    Self managed installations

    OutSystems released new versions of the Platform Server that address this vulnerability. All customers who have yet to update their Platform servers are encouraged to do so.

    OutSystems 11

    Platform Server release 11.8.0 and LifeTime Management Console 11.6.0 address this vulnerability. All subsequent releases are protected.


    There is no workaround, we strongly advise you to update to the above mentioned versions.


    Question Answer
    By exploiting this vulnerability can an attacker access my data? Yes. By exploiting this vulnerability, an attacker will have access to data stored by the OutSystems Platform.
    Has this vulnerability been exploited in the wild? OutSystems doesn't have any evidence that this vulnerability has been exploited in the wild or that any customer was affected.
    What do I need to do? Update your OutSystems Platform Server to the above-mentioned version that applies. For cloud environments, OutSystems will patch the environments for you.
    Who can I talk to about this? If you have any questions, contact your Customer Success Manager. If you don’t have one, contact us via our support channels.
    • Was this article helpful?