Lucene search

Fluid AttacksCVE-2023-0624

HistoryFeb 09, 2023 - 4:15 p.m.

CVE-2023-0624

2023-02-0916:15:11

CWE-79

Fluid Attacks

web.nvd.nist.gov

orangescrum

cve-2023-0624

security vulnerability

user accounts

text/html

nvd

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

6.2

Confidence

High

EPSS

0.001

Percentile

37.4%

JSON

OrangeScrum version 2.0.11 allows an external attacker to obtain arbitrary user accounts from the application. This is possible because the application returns malicious user input in the response with the content-type set to text/html.

Affected configurations

Nvd

Node

orangescrumorangescrumMatch2.0.11

VendorProductVersionCPE
orangescrumorangescrum2.0.11cpe:2.3:a:orangescrum:orangescrum:2.0.11:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
orangescrum	orangescrum	2.0.11	cpe:2.3:a:orangescrum:orangescrum:2.0.11:::::::*

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "OrangeScrum",
    "versions": [
      {
        "version": "2.0.11",
        "status": "affected"
      }
    ]
  }
]

References

fluidattacks.com/advisories/oberhofer/

github.com/Orangescrum/orangescrum/

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

6.2

Confidence

High

EPSS

0.001

Percentile

37.4%

JSON

Related for CVE-2023-0624