CVE-2021-47720

HIGH

Orangescrum - SQL Injection

Title source: rule

Description

Orangescrum 1.8.0 contains an authenticated SQL injection vulnerability that allows authorized users to manipulate database queries through multiple vulnerable parameters. Attackers can inject malicious SQL code into parameters like old_project_id, project_id, uuid, and uniqid to potentially extract or modify database information.

Exploits (1)

exploitdb WORKING POC

by Hubert Wojciechowski · textwebappsmultiple

https://www.exploit-db.com/exploits/50553

View Code ZIP pw:eip

References (3)

[Exploit] https://www.exploit-db.com/exploits/50553

[Product] https://www.orangescrum.org/

[Third Party Advisory] https://www.vulncheck.com/advisories/orangescrum-authenticated-sql-injection-via-multiple-parameters

Scores

CVSS v3 7.1

EPSS 0.0001

EPSS Percentile 3.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (2)

orangescrum/orangescrum 1.8.0

Orangescrum/orangescrum 1.8.0

Published Dec 23, 2025

Tracked Since Feb 18, 2026