CVE-2021-47721

HIGH

8.8

Description

Orangescrum 1.8.0 contains a privilege escalation vulnerability that allows authenticated users to take over other project-assigned accounts by manipulating session cookies. Attackers can extract the victim's unique ID from the page source and replace their own session cookie to gain unauthorized access to another user's account.

CVE Details

CVSS v3.1 Score8.8

SeverityHIGH

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredLOW

User InteractionNONE

Published12/23/2025

Last Modified12/31/2025

Sourcenvd

Honeypot Sightings0

Affected Products

orangescrum:orangescrum

Weaknesses (CWE)

CWE-639

References

https://www.exploit-db.com/exploits/50551(disclosure@vulncheck.com)

https://www.orangescrum.org/(disclosure@vulncheck.com)

https://www.vulncheck.com/advisories/orangescrum-authenticated-privilege-escalation-via-user-session-manipulation(disclosure@vulncheck.com)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.