File Deletion Vulnerability in OrangeScrum by Fluid Attacks
CVE-2023-0454

8.1HIGH

Key Information:

Vendor: Orangescrum
Status: Orangescrum
Vendor: CVE Published:; 1 February 2023

🔔 Create Orangescrum Vulnerability Alert

What is CVE-2023-0454?

The file deletion vulnerability in OrangeScrum version 2.0.11 allows authenticated external attackers to exploit an unsanitized parameter to delete arbitrary files on the server. This security issue arises from improper handling of user input, enabling an attacker to manipulate local paths and gain unauthorized access to sensitive files.

Affected Version(s)

OrangeScrum 2.0.11

References

https://fluidattacks.com/advisories/slushii/

https://github.com/Orangescrum/orangescrum/

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 1, 2023
Vulnerability Reserved
Jan 24, 2023

JSON