Design/Logic Flaw

2023-04-0423:15:00

PRIOn knowledge base

www.prio-n.com

orangescrum

design flaw

arbitrary user accounts

external attacker

text/html

nvd

6.2 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

39.9%

JSON

OrangeScrum version 2.0.11 allows an external attacker to obtain arbitrary user accounts from the application. This is possible because the application returns malicious user input in the response with the content-type set to text/html.

CPENameOperatorVersion
orangescrumeq2.0.11

CPE	Name	Operator	Version
	orangescrum	eq	2.0.11

References

fluidattacks.com/advisories/eilish/

github.com/Orangescrum/orangescrum/