Skip to main content













Vulnerability RPD-4310


OutSystems became aware of a vulnerability that, if exploited, may allow an attacker to compromise the Availability and Integrity of the data handled and stored by the OutSystems Platform.

The exploitation of this vulnerability will not compromise the Confidentiality of your data.

Technology Stacks

This vulnerability affects all supported platform stacks.

Vulnerability Risk

Base Score: 7.2 (High)

Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L


To understand the phases involved in the process, how and when we communicate, check this article.

  • Embargo phase: This vulnerability was first communicated to all customers on December 12, 2019
  • Public disclosure: Full details on this vulnerability were disclosed in March 2020.

Vulnerability details

This vulnerability resides in the Upload widget. By exploiting this vulnerability, an unauthenticated attacker would be able to upload arbitrary files to the platform.

In some cases, this attack may consume the available database space causing a Denial of Service, corrupt legit data if files are being processed asynchronously or even deny access to the legit uploaded files.

Protecting your OutSystems Platform

OutSystems has issued new releases of the Platform Server to address this vulnerability.

OutSystems Cloud

OutSystems will update all cloud infrastructures to version 10.0.1021.0 or to Release OCT.19 CP6, depending on their current version.

On-Premises Installations

All customers who have yet to update their Platform servers are strongly encouraged to do so.

OutSystems 10

This vulnerability is fixed for version 10.0.1019.0 and all subsequent versions.

OutSystems 11

The vulnerability is fixed on Release OCT.19 CP4 and all subsequent versions.


There is no workaround, we strongly advise to update to the above mentioned versions.


Question Answer
By exploiting this vulnerability can an attacker access my data? No. By exploiting this vulnerability an attacker will be able to compromise the integrity and availability of the data but not the confidentiality.
Has this vulnerability been exploited in the wild? OutSystems does not have any evidence that this vulnerability has been exploited in the wild or that any customer has been affected by it.
What do I need to do? Update your OutSystems Platform to the above-mentioned version that applies. For Cloud Customers, OutSystems will update the platform for you.
Will OutSystems share any more information about this vulnerability? All the details that can be shared were already disclosed in this article.
Who can I talk to about this? If you have any questions, contact your Customer Success Manager. If you don’t have one, contact us via our support channels.

Vulnerability reported by Joshua Provoste.

  • Was this article helpful?