CVE-2017-11667

CVE Database · CVE-2017-11667

CVE-2017-11667

· N/AModified

CVSS v3.1

N/A

EPSS

1.42%

Published

Jul 26, 2017

Modified

May 12, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

OpenProject before 6.1.6 and 7.x before 7.0.3 mishandles session expiry, which allows remote attackers to perform APIv3 requests indefinitely by leveraging a hijacked session.

Weaknesses (CWE)

CWE-613

Affected Products (4)

openproject · openprojectvulnerable

References (6)

https://github.com/opf/openproject/commit/0fdd7578909d2ec50abc275fc4962e99566437ee

Patch

https://www.openproject.org/openproject-6-1-6-released-security-fix/

Vendor Advisory

https://www.openproject.org/openproject-7-0-3-released/

Vendor Advisory

https://github.com/opf/openproject/commit/0fdd7578909d2ec50abc275fc4962e99566437ee

Patch

https://www.openproject.org/openproject-6-1-6-released-security-fix/

Vendor Advisory

https://www.openproject.org/openproject-7-0-3-released/

Vendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs