Lucene search

[email protected]NVD:CVE-2023-0624

HistoryFeb 09, 2023 - 4:15 p.m.

CVE-2023-0624

2023-02-0916:15:11

CWE-79

[email protected]

web.nvd.nist.gov

orangescrum

vulnerability

user accounts

arbitrary

text/html

response

cve-2023-0624

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

37.4%

JSON

OrangeScrum version 2.0.11 allows an external attacker to obtain arbitrary user accounts from the application. This is possible because the application returns malicious user input in the response with the content-type set to text/html.

Affected configurations

Nvd

Node

orangescrumorangescrumMatch2.0.11

VendorProductVersionCPE
orangescrumorangescrum2.0.11cpe:2.3:a:orangescrum:orangescrum:2.0.11:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
orangescrum	orangescrum	2.0.11	cpe:2.3:a:orangescrum:orangescrum:2.0.11:::::::*

References

fluidattacks.com/advisories/oberhofer/

github.com/Orangescrum/orangescrum/

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

37.4%

JSON

Related for NVD:CVE-2023-0624

prion1 osv1 cve1 cvelist1