Orangescrum

orangescrum

9 CVEs • 1 product

Products (1)

Click to collapse

Toggle

CVEs (9)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-47721 1Orangescrum 1Orangescrum Dec 31, 2025 Dec 23, 2025 8.7 HIGH· v4 8.8 HIGH· v3 N/A· v2 Orangescrum 1.8.0 contains a privilege escalation vulnerability that allows authenticated users to take over other project-assigned accounts by manipulating session cookies. Attackers can extract the victim's unique ID f...Show more Orangescrum 1.8.0 contains a privilege escalation vulnerability that allows authenticated users to take over other project-assigned accounts by manipulating session cookies. Attackers can extract the victim's unique ID from the page source and replace their own session cookie to gain unauthorized access to another user's account.Show less
CVE-2021-47720 1Orangescrum 1Orangescrum Dec 31, 2025 Dec 23, 2025 8.7 HIGH· v4 7.1 HIGH· v3 N/A· v2 Orangescrum 1.8.0 contains an authenticated SQL injection vulnerability that allows authorized users to manipulate database queries through multiple vulnerable parameters. Attackers can inject malicious SQL code into par...Show more Orangescrum 1.8.0 contains an authenticated SQL injection vulnerability that allows authorized users to manipulate database queries through multiple vulnerable parameters. Attackers can inject malicious SQL code into parameters like old_project_id, project_id, uuid, and uniqid to potentially extract or modify database information.Show less
CVE-2021-47716 1Orangescrum 1Orangescrum Dec 31, 2025 Dec 23, 2025 5.1 MEDIUM· v4 5.4 MEDIUM· v3 N/A· v2 Orangescrum 1.8.0 contains multiple cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts through various input parameters. Attackers can exploit parameters like 'projid', 'C...Show more Orangescrum 1.8.0 contains multiple cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts through various input parameters. Attackers can exploit parameters like 'projid', 'CS_message', and 'name' to execute arbitrary JavaScript code in victim's browsers by submitting crafted payloads through application endpoints.Show less
CVE-2024-48392 1Orangescrum 1Orangescrum Sep 30, 2025 Jan 21, 2025 N/A· v4 5.4 MEDIUM· v3 N/A· v2 OrangeScrum v2.0.11 is vulnerable to Cross Site Scripting (XSS). An attacker can inject malicious JavaScript code into user email due to lack of input validation, which could lead to account takeover.
CVE-2023-1783 1Orangescrum 1Orangescrum Nov 21, 2024 Jun 23, 2023 N/A· v4 7.6 HIGH· v3 N/A· v2 OrangeScrum version 2.0.11 allows an external attacker to remotely obtain AWS instance credentials. This is possible because the application does not properly validate the HTML content to be converted to PDF.
CVE-2023-0738 1Orangescrum 1Orangescrum Feb 13, 2025 Apr 4, 2023 N/A· v4 6.1 MEDIUM· v3 N/A· v2 OrangeScrum version 2.0.11 allows an external attacker to obtain arbitrary user accounts from the application. This is possible because the application returns malicious user input in the response with the content-type s...Show more OrangeScrum version 2.0.11 allows an external attacker to obtain arbitrary user accounts from the application. This is possible because the application returns malicious user input in the response with the content-type set to text/html.Show less
CVE-2023-0624 1Orangescrum 1Orangescrum Mar 24, 2025 Feb 9, 2023 N/A· v4 6.1 MEDIUM· v3 N/A· v2 OrangeScrum version 2.0.11 allows an external attacker to obtain arbitrary user accounts from the application. This is possible because the application returns malicious user input in the response with the content-type s...Show more OrangeScrum version 2.0.11 allows an external attacker to obtain arbitrary user accounts from the application. This is possible because the application returns malicious user input in the response with the content-type set to text/html.Show less
CVE-2023-0454 1Orangescrum 1Orangescrum Mar 27, 2025 Feb 1, 2023 N/A· v4 8.1 HIGH· v3 N/A· v2 OrangeScrum version 2.0.11 allows an authenticated external attacker to delete arbitrary local files from the server. This is possible because the application uses an unsanitized attacker-controlled parameter to construc...Show more OrangeScrum version 2.0.11 allows an authenticated external attacker to delete arbitrary local files from the server. This is possible because the application uses an unsanitized attacker-controlled parameter to construct an internal path.Show less
CVE-2023-0164 1Orangescrum 1Orangescrum Apr 3, 2025 Jan 18, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 OrangeScrum version 2.0.11 allows an authenticated external attacker to execute arbitrary commands on the server. This is possible because the application injects an attacker-controlled parameter into a system function.