CVE-2024-48392

Published: Jan 21, 2025Modified: Sep 30, 2025

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

OrangeScrum v2.0.11 is vulnerable to Cross Site Scripting (XSS). An attacker can inject malicious JavaScript code into user email due to lack of input validation, which could lead to account takeover.

Affected (1)

Products: Orangescrum: Orangescrum

Orangescrum

1 product

Orangescrum

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Orangescrum Orangescrum	Version 2.0.11

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://github.com/Renzusclarke/CVE-2024-48392-PoC

Source: cve@mitre.org

Exploit

https://github.com/Renzusclarke/CVE-2024-48392-PoC/blob/main/poc.txt

Source: cve@mitre.org

Exploit

https://www.orangescrum.com/

Source: cve@mitre.org

Product

https://github.com/Renzusclarke/CVE-2024-48392-PoC/blob/main/poc.txt

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Exploit

Timeline

No history available yet.