CVE-2021-47720

Description

Orangescrum 1.8.0 contains an authenticated SQL injection vulnerability that allows authorized users to manipulate database queries through multiple vulnerable parameters. Attackers can inject malicious SQL code into parameters like old_project_id, project_id, uuid, and uniqid to potentially extract or modify database information.

PUBLISHED Reserved 2025-12-05 | Published 2025-12-23 | Updated 2025-12-23 | Assigner VulnCheck

Problem types

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Credits

Hubert Wojciechowski finder

References

www.exploit-db.com/exploits/50553 (ExploitDB-50553) exploit

www.orangescrum.org/ (Official Product Homepage) product

www.vulncheck.com/...d-sql-injection-via-multiple-parameters (VulnCheck Advisory: Orangescrum 1.8.0 Authenticated SQL Injection via Multiple Parameters) third-party-advisory

cve.org (CVE-2021-47720)

nvd.nist.gov (CVE-2021-47720)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.