OrangeScrum 2.0.11 - AWS Credentials Leak via PDF Rendering
CVE-2023-1783

6.5MEDIUM

Key Information:

Vendor

Orangescrum

Status
Orangescrum
Vendor
CVE Published:
23 June 2023

What is CVE-2023-1783?

OrangeScrum version 2.0.11 allows an external attacker to remotely obtain AWS instance credentials. This is possible because the application does not properly validate the HTML content to be converted to PDF.

Affected Version(s)

Orangescrum Linux 2.0.11

References

https://github.com/Orangescrum/orangescrum/
https://fluidattacks.com/advisories/stirling/

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2023-1783 : OrangeScrum 2.0.11 - AWS Credentials Leak via PDF Rendering