Skip to main content

 

 

 

 

Template:OutSystems/Documentation_KB/Breadcrumb_New_Layout

 

 

Template:OutSystems/OSLanguageSwitcher

 

 

 

OutSystems

Vulnerability RLIT-3368

Overview

OutSystems became aware of a vulnerability that, if exploited, may allow an attacker to compromise the confidentiality, availability, and integrity of the data handled and stored by the OutSystems Platform.

OutSystems does not have any indication or reason to believe that this vulnerability has been exploited in the wild.

Technology stacks

This vulnerability affects all supported Platform server stacks.

Vulnerability risk

Base Score: 9.1 (Critical)

Vector String: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Communication

To understand the phases involved in the process, how and when we communicate, check this article.

  • Embargo phase: This vulnerability was first communicated to all customers on March 13, 2020

  • Public disclosure: Full details on this vulnerability were disclosed on May 29, 2020

Vulnerability details

OutSystems ServiceCenter contained a SQL Injection vulnerability that could be exploited via a sort condition that would allow an authenticated ServiceCenter user to fully compromise the availability, integrity and confidentiality of all data present on the database.

Protecting your OutSystems Platform

OutSystems Cloud

OutSystems notified all its Cloud customers and applied a no-impact / no-downtime hotfix targeted at the specific version of each customer.

On-Premises Installations

OutSystems released new versions of the Platform Server that address this vulnerability.

OutSystems 10

OutSystems released version 10.0.1023.0 of the Platform Server that addresses this vulnerability. All versions from Platform Server version 10.0.1023.0 onwards will not be affected by this vulnerability.

OutSystems 11

OutSystems released a version 11.7.3 of the Platform Server that addresses this vulnerability.

All version Platform Server version 11.7.3 onwards will be protected.

Workaround

There is no workaround, we strongly advise you to update to the above-mentioned version that applies.

FAQs

Question Answer
By exploiting this vulnerability can an attacker access my data? Yes. By exploiting this vulnerability, an attacker will have full access to all data stored by the OutSystems Platform.
Has this vulnerability been exploited in the wild? OutSystems does not have any evidence that this vulnerability has been exploited in the wild or that any customer has been affected by it.
What do I need to do? Update your OutSystems Platform to the above-mentioned version that applies. For Cloud Customers, OutSystems will apply a no-impact / no-downtime hotfix.
Will OutSystems share any more information about this vulnerability? In order to protect its customers, OutSystems will not provide any additional information about this vulnerability before May 2020.
Who can I talk to about this? If you have any questions, contact your Customer Success Manager. If you don’t have one, contact us via our support channels.
  • Was this article helpful?