CVE-2023-1783: OrangeScrum 2.0.11 - AWS Credentials Leak via PDF Rendering

6.5 CVSS

Description

OrangeScrum version 2.0.11 allows an external attacker to remotely obtain AWS instance credentials. This is possible because the application does not properly validate the HTML content to be converted to PDF.

Classification

CVE ID: CVE-2023-1783

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.5

Affected Products

Vendor: Orangescrum

Product: Orangescrum

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.11% (probability of being exploited)

EPSS Percentile: 45.08% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://github.com/Orangescrum/orangescrum/
https://fluidattacks.com/advisories/stirling/

Timeline

2024-11-28 00:10:49 UTC
CVE

OrangeScrum 2.0.11 - AWS Credentials Leak via PDF Rendering