Remote Command Execution Vulnerability in OrangeScrum by FluidAttacks
CVE-2023-0164

8.8HIGH

Key Information:

Vendor: Orangescrum
Status: Orangescrum
Vendor: CVE Published:; 18 January 2023

🔔 Create Orangescrum Vulnerability Alert

What is CVE-2023-0164?

The vulnerability in OrangeScrum version 2.0.11 allows an authenticated external attacker to execute arbitrary commands on the server. This situation arises due to the application improperly sanitizing user inputs, resulting in the injection of attacker-controlled parameters into system functions. Consequently, this flaw poses a risk of unauthorized access and manipulation of the server's operations, making it essential for users to apply updates or mitigate the risk.

Affected Version(s)

OrangeScrum 2.0.11

References

https://fluidattacks.com/advisories/queen/

https://github.com/Orangescrum/orangescrum

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 18, 2023
Vulnerability Reserved
Jan 10, 2023

JSON