Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Orangescrum Subscribe
Total 3 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-0624 1 Orangescrum 1 Orangescrum 2023-02-16 N/A 6.1 MEDIUM
OrangeScrum version 2.0.11 allows an external attacker to obtain arbitrary user accounts from the application. This is possible because the application returns malicious user input in the response with the content-type set to text/html.
CVE-2023-0454 1 Orangescrum 1 Orangescrum 2023-02-07 N/A 8.1 HIGH
OrangeScrum version 2.0.11 allows an authenticated external attacker to delete arbitrary local files from the server. This is possible because the application uses an unsanitized attacker-controlled parameter to construct an internal path.
CVE-2023-0164 1 Orangescrum 1 Orangescrum 2023-01-27 N/A 8.8 HIGH
OrangeScrum version 2.0.11 allows an authenticated external attacker to execute arbitrary commands on the server. This is possible because the application injects an attacker-controlled parameter into a system function.