Lucene search

K
cve[email protected]CVE-2023-0738
HistoryApr 04, 2023 - 11:15 p.m.

CVE-2023-0738

2023-04-0423:15:07
CWE-79
web.nvd.nist.gov
19
cve-2023-0738
orangescrum
version 2.0.11
security vulnerability
arbitrary user account retrieval
text/html
content-type
nvd

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.2 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

39.8%

OrangeScrum version 2.0.11 allows an external attacker to obtain arbitrary user accounts from the application. This is possible because the application returns malicious user input in the response with the content-type set to text/html.

Affected configurations

NVD
Node
orangescrumorangescrumMatch2.0.11

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "OrangeScrum",
    "versions": [
      {
        "version": "2.0.11",
        "status": "affected"
      }
    ]
  }
]

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.2 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

39.8%

Related for CVE-2023-0738