Orangescrum

Orangescrum

9 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
5.4

CVE-2021-47716

Exploit
  • EPSS 0.04%
  • Veröffentlicht 23.12.2025 19:35:40
  • Zuletzt bearbeitet 31.12.2025 17:15:17

Orangescrum 1.8.0 contains multiple cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts through various input parameters. Attackers can exploit parameters like 'projid', 'CS_message', and 'name' to exec...

8.7

CVE-2021-47720

Exploit
  • EPSS 0.01%
  • Veröffentlicht 23.12.2025 19:34:06
  • Zuletzt bearbeitet 31.12.2025 17:15:29

Orangescrum 1.8.0 contains an authenticated SQL injection vulnerability that allows authorized users to manipulate database queries through multiple vulnerable parameters. Attackers can inject malicious SQL code into parameters like old_project_id, p...

8.8

CVE-2021-47721

Exploit
  • EPSS 0.02%
  • Veröffentlicht 23.12.2025 19:34:06
  • Zuletzt bearbeitet 31.12.2025 21:44:19

Orangescrum 1.8.0 contains a privilege escalation vulnerability that allows authenticated users to take over other project-assigned accounts by manipulating session cookies. Attackers can extract the victim's unique ID from the page source and replac...

5.4

CVE-2024-48392

Exploit
  • EPSS 0.33%
  • Veröffentlicht 21.01.2025 21:15:10
  • Zuletzt bearbeitet 30.09.2025 21:01:01

OrangeScrum v2.0.11 is vulnerable to Cross Site Scripting (XSS). An attacker can inject malicious JavaScript code into user email due to lack of input validation, which could lead to account takeover.

7.6

CVE-2023-1783

Exploit
  • EPSS 0.08%
  • Veröffentlicht 23.06.2023 22:15:08
  • Zuletzt bearbeitet 21.11.2024 07:39:53

OrangeScrum version 2.0.11 allows an external attacker to remotely obtain AWS instance credentials. This is possible because the application does not properly validate the HTML content to be converted to PDF.

6.1

CVE-2023-0738

Exploit
  • EPSS 0.11%
  • Veröffentlicht 04.04.2023 23:15:07
  • Zuletzt bearbeitet 13.02.2025 16:15:37

OrangeScrum version 2.0.11 allows an external attacker to obtain arbitrary user accounts from the application. This is possible because the application returns malicious user input in the response with the content-type set to text/html.

6.1

CVE-2023-0624

Exploit
  • EPSS 0.23%
  • Veröffentlicht 09.02.2023 16:15:11
  • Zuletzt bearbeitet 24.03.2025 21:15:15

OrangeScrum version 2.0.11 allows an external attacker to obtain arbitrary user accounts from the application. This is possible because the application returns malicious user input in the response with the content-type set to text/html.

8.1

CVE-2023-0454

Exploit
  • EPSS 0.39%
  • Veröffentlicht 01.02.2023 03:15:08
  • Zuletzt bearbeitet 27.03.2025 15:15:41

OrangeScrum version 2.0.11 allows an authenticated external attacker to delete arbitrary local files from the server. This is possible because the application uses an unsanitized attacker-controlled parameter to construct an internal path.

8.8

CVE-2023-0164

Exploit
  • EPSS 0.74%
  • Veröffentlicht 18.01.2023 22:15:10
  • Zuletzt bearbeitet 03.04.2025 20:15:19

OrangeScrum version 2.0.11 allows an authenticated external attacker to execute arbitrary commands on the server. This is possible because the application injects an attacker-controlled parameter into a system function.