Skip to main content





Vulnerability RPD-4260

  • Edit
    Collaborate with us
    Edit this page on GitHub
  • Overview

    OutSystems became aware of a vulnerability that, if exploited, may allow an attacker to compromise the availability and integrity of the data handled and stored by the OutSystems Platform.

    Technology Stacks

    This vulnerability affects all supported platform stacks.

    Vulnerability Risk

    Base Score: 7.6 (High)

    Vector String: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:L


    To understand the phases involved in the process, how and when we communicate, check this article.

    • Embargo phase: This vulnerability was first communicated to all customers on December 12, 2019
    • Public disclosure: Full details on this vulnerability were disclosed on March 2020

    Vulnerability details

    This vulnerability resides in the mechanism used by the OutSystems Platform to validate developer permissions. By exploiting this vulnerability, a Developer with the "Reuse & Monitor" role is able to use the advanced query feature of Service Studio to corrupt or delete the data in the database.

    Protecting your OutSystems Platform

    OutSystems Cloud

    For OutSystems Cloud OutSystems updated all infrastructures of version 10 to the release 10.0.1020.0 and those of version 11 to Release OCT.19 CP5.

    Self-managed installations

    OutSystems issued new releases of the Platform Server that address this vulnerability. All customers who have yet to update their Platform servers are strongly encouraged to do so.

    OutSystems 10

    This vulnerability is fixed for version 10.0.1016.0 and all subsequent versions.

    OutSystems 11

    The vulnerability is fixed on Release OCT.19 CP4


    There is no workaround, we strongly advise to update to the above mentioned releases.


    Question Answer
    By exploiting this vulnerability can an attacker access my data? No. By exploiting this vulnerability an attacker will be able to compromise the integrity and availability of the data but not the confidentiality.
    Has this vulnerability been exploited in the wild? OutSystems does not have any evidence that this vulnerability has been exploited in the wild or that any customer has been affected by it.
    What do I need to do? Update your OutSystems Platform Server to the above-mentioned version that applies.
    Will OutSystems share any more information about this vulnerability? All the details that can be shared were already disclosed in this article.
    Who can I talk to about this? If you have any questions, contact your Customer Success Manager. If you don’t have one, contact us via our support channels.
    • Was this article helpful?