OrangeScrum version 2.0.11 allows an authenticated external attacker to delete arbitrary local files from the server. This is possible because the application uses an unsanitized attacker-controlled parameter to construct an internal path.
References
Link | Resource |
---|---|
https://fluidattacks.com/advisories/slushii/ | Exploit Third Party Advisory |
https://github.com/Orangescrum/orangescrum/ | Product Third Party Advisory |
Configurations
History
No history.
Information
Published : 2023-02-01 03:15
Updated : 2024-02-28 19:51
NVD link : CVE-2023-0454
Mitre link : CVE-2023-0454
CVE.ORG link : CVE-2023-0454
JSON object : View
Products Affected
orangescrum
- orangescrum
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')