Skip to main content





Vulnerability RICT-2855

  • Edit
    Collaborate with us
    Edit this page on GitHub
  • Overview

    OutSystems became aware of a vulnerability that, if exploited, may allow an attacker to compromise the integrity, and availability of a development workstation.

    Vulnerability risk

    Base Score: 8.2 (High)

    Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L


    To understand the phases involved in the process, how, and when we communicate, check this article. This vulnerability is currently on the embargo phase.

    • Embargo phase: This vulnerability was first published on December 2, 2020.
    • Public disclosure: Full details on this vulnerability were disclosed on March 3, 2021.

    Vulnerability details

    This vulnerability resides on the Integration Studio extension verification capability. An attacker capable of performing a MitM attack between the developer and a server could downgrade the connection and have the developer download and execute a malicious payload in the workstation.

    Components and stacks

    This vulnerability affects all Integration Studio 11 versions.

    Protecting your OutSystems installation

    OutSystems issued release Development Environment 11.9.1 that addresses this vulnerability. All developers who have yet to update their Development Environment are strongly encouraged to do so.

    This vulnerability doesn't affect Integration Studio installed on the Platform Server and therefore, the only necessary action is for developers to update their own Development Environment to the latest release.


    There is no workaround, we strongly advise you to update to the above mentioned versions.


    Question Answer
    By exploiting this vulnerability can an attacker access my data? Yes. By exploiting this vulnerability, an attacker will, in time, have access to data stored in your workstation.
    What do I need to do? Update your OutSystems Development Environment to the above-mentioned version.
    Who can I talk to about this? If you have any questions, contact your Customer Success Manager. If you don’t have one, contact us via our support channels.
    • Was this article helpful?