Exploitation of this issue results in system takeover. Criticality of this issue was determined by the fact that system takeover bypasses authentication requirements. An attacker can inject arbitrary SQL commands that result in complete system takeover. We recommend system administrators to review the source code of all installed applications to determine if there are any potential security issues. As simple task management system is open source, the source code can easily be inspected for possible issues.
SQL Injection
SQL Injection is one of the most common web application vulnerabilities. It is an attack that requires a database administrator to be tricked into issuing a specially crafted SQL query or malformed data in such a way that it causes unintended behavior by the database software. This vulnerability can allow an attacker to execute commands on the vulnerable system without permission or knowledge.
The vulnerability can also be exploited by injecting code through user-input fields in web forms and other input mechanisms, making it much more difficult to protect against than other types of injection attacks.
It's important to note that not all SQL injection vulnerabilities are exploitable, particularly when the vulnerable software implements some form of input validation before sending data to the attacked server. In this case, as soon as an attacker sends input that does not match any valid values for what was requested, the software returns an error and stops processing further queries from the attacker.
Upgrade to Version 3.2.0-RC1 or Later
Upgrade to version 3.2.0-RC1 or later to avoid this vulnerability.
Please upgrade your application to version 3.2.0-RC1 or later. Version 3.2.0-RC1 is available for download from our website:
http://www.openprojectmanagementsystems.com/downloads/
Please upgrade soon as we are taking this issue seriously and it is the intention of the developer that all users should upgrade as soon as possible.
Timeline
Published on: 09/21/2022 18:15:00 UTC
Last modified on: 09/22/2022 16:14:00 UTC