CVE-2021-47720

HIGH

Orangescrum 1.8.0 - Authenticated SQL Injection via Multiple Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-47720. PoCs published by Hubert Wojciechowski.

AI-analyzed exploit summary This is a proof-of-concept for an authenticated SQL injection vulnerability in OrangeScrum 1.8.0. The exploit demonstrates how an attacker can inject malicious SQL queries via the 'old_project_id' parameter in a POST request, leading to a 500 Internal Server Error when a single quote is used, indicating successful injection.

Description

Orangescrum 1.8.0 contains an authenticated SQL injection vulnerability that allows authorized users to manipulate database queries through multiple vulnerable parameters. Attackers can inject malicious SQL code into parameters like old_project_id, project_id, uuid, and uniqid to potentially extract or modify database information.

Exploits (1)

exploitdb WORKING POC
by Hubert Wojciechowski · textwebappsmultiple
https://www.exploit-db.com/exploits/50553

This is a proof-of-concept for an authenticated SQL injection vulnerability in OrangeScrum 1.8.0. The exploit demonstrates how an attacker can inject malicious SQL queries via the 'old_project_id' parameter in a POST request, leading to a 500 Internal Server Error when a single quote is used, indicating successful injection.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: OrangeScrum 1.8.0
Auth required
Prerequisites: Authenticated session in OrangeScrum
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 7.1
EPSS 0.0030
EPSS Percentile 21.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (2)
orangescrum/orangescrum 1.8.0
Orangescrum/orangescrum 1.8.0
Published Dec 23, 2025
Tracked Since Feb 18, 2026