Orangescrum: >> Orangescrum >> 2.0.11 Security Vulnerabilities
OrangeScrum v2.0.11 is vulnerable to Cross Site Scripting (XSS). An attacker can inject malicious JavaScript code into user email due to lack of input validation, which could lead to account takeover.
CVSS Score
5.4
EPSS Score
0.003
Published
2025-01-21
OrangeScrum version 2.0.11 allows an external attacker to remotely obtain AWS instance credentials. This is possible because the application does not properly validate the HTML content to be converted to PDF.
CVSS Score
6.5
EPSS Score
0.001
Published
2023-06-23
OrangeScrum version 2.0.11 allows an external attacker to obtain arbitrary user accounts from the application. This is possible because the application returns malicious user input in the response with the content-type set to text/html.
CVSS Score
6.1
EPSS Score
0.001
Published
2023-04-04
OrangeScrum version 2.0.11 allows an external attacker to obtain arbitrary user accounts from the application. This is possible because the application returns malicious user input in the response with the content-type set to text/html.
CVSS Score
6.1
EPSS Score
0.001
Published
2023-02-09
OrangeScrum version 2.0.11 allows an authenticated external attacker to delete arbitrary local files from the server. This is possible because the application uses an unsanitized attacker-controlled parameter to construct an internal path.
CVSS Score
8.1
EPSS Score
0.001
Published
2023-02-01
OrangeScrum version 2.0.11 allows an authenticated external attacker to execute arbitrary commands on the server. This is possible because the application injects an attacker-controlled parameter into a system function.
CVSS Score
8.8
EPSS Score
0.002
Published
2023-01-18