Skip to main content





Vulnerability RLIT-2388

  • Edit
    Collaborate with us
    Edit this page on GitHub
  • Overview

    OutSystems became aware of a vulnerability in Service Center and Lifetime. Using the CVSS 3.0 scoring system, OutSystems has assessed the impact and risk of this vulnerability for cloud and on-premises Platform deployments across all supported stacks and classified it accordingly.

    You can use the information in this communication to ascertain the level of exposure to your systems and determine how you should proceed to mitigate the threat.

    Technology Stacks

    This vulnerability affects all supported Platform Server stacks.

    Vulnerability Risk

    Base Score: 7.1 (High)

    Vector String: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N


    To understand the phases involved in the process, how and when we communicate, check this article.

    • Embargo phase: This vulnerability was first communicated to all customers on May 14, 2019
    • Public disclosure: Full details on this vulnerability were disclosed on August 2019

    Vulnerability details

    Some Service Center and Lifetime pages were not properly protected from unauthenticated access. This means that an attacker could access certain parameters or mobile application compilation configuration.

    Protecting your OutSystems Platform

    OutSystems Cloud

    OutSystems notified cloud customers and updated or applied a patch to all affected cloud infrastructures.

    The environments were patched without the need for a Platform server version update.

    On-Premises Installations

    OutSystems issued new releases of the Platform Server that address this vulnerability. All customers who have yet to update their Platform servers are strongly encouraged to do so.

    OutSystems 10

    This vulnerability is fixed for version 10.0.1005.2 and all subsequent versions.

    OutSystems 11

    The vulnerability is fixed for version Release Jan.2019 CP2 and all subsequent versions.


    For on-premises installations, a Platform server update is strongly advised. If you do not have the opportunity to update, we advise you to restrict access to Service Center and Lifetime to only trusted IPs by enabling configuring the Internal Network.


    Question Answer
    By exploiting this vulnerability can an attacker access my data? No. By exploiting this vulnerability an attacker will be able to compromise the integrity and availability of the data but not the confidentiality.
    Has this vulnerability been exploited in the wild? OutSystems does not have any evidence that this vulnerability has been exploited in the wild or that any customer has been affected by it.
    What do I need to do? Update your OutSystems Platform Server to the above-mentioned version that applies.
    Will OutSystems share any more information about this vulnerability? All the details that can be shared were already disclosed in this article.
    Who can I talk to about this? If you have any questions, contact your Customer Success Manager. If you don’t have one, contact us via our support channels.
    • Was this article helpful?