Home

Description

Orangescrum 1.8.0 contains a privilege escalation vulnerability that allows authenticated users to take over other project-assigned accounts by manipulating session cookies. Attackers can extract the victim's unique ID from the page source and replace their own session cookie to gain unauthorized access to another user's account.

PUBLISHED Reserved 2025-12-07 | Published 2025-12-23 | Updated 2025-12-23 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

Authorization Bypass Through User-Controlled Key

Product status

1.8.0
affected

Credits

Hubert Wojciechowski finder

References

www.exploit-db.com/exploits/50551 (ExploitDB-50551) exploit

www.orangescrum.org/ (Official Product Homepage) product

www.vulncheck.com/...scalation-via-user-session-manipulation (VulnCheck Advisory: Orangescrum 1.8.0 Authenticated Privilege Escalation via User Session Manipulation) third-party-advisory

cve.org (CVE-2021-47721)

nvd.nist.gov (CVE-2021-47721)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.