CVE-2021-47721

HIGH

Orangescrum 1.8.0 - Session Cookie Account Takeover

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-47721. PoCs published by Hubert Wojciechowski.

AI-analyzed exploit summary This exploit demonstrates a privilege escalation vulnerability in Orangescrum 1.8.0 by manipulating the 'USER_UNIQ' cookie to impersonate another user. The attacker must be authenticated and assigned to the same project as the victim.

Description

Orangescrum 1.8.0 contains a privilege escalation vulnerability that allows authenticated users to take over other project-assigned accounts by manipulating session cookies. Attackers can extract the victim's unique ID from the page source and replace their own session cookie to gain unauthorized access to another user's account.

Exploits (1)

exploitdb WORKING POC
by Hubert Wojciechowski · textwebappsmultiple
https://www.exploit-db.com/exploits/50551

This exploit demonstrates a privilege escalation vulnerability in Orangescrum 1.8.0 by manipulating the 'USER_UNIQ' cookie to impersonate another user. The attacker must be authenticated and assigned to the same project as the victim.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Orangescrum 1.8.0
Auth required
Prerequisites: Authenticated access to the application · Shared project assignment with the victim
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 8.8
EPSS 0.0042
EPSS Percentile 33.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-639
Status published
Products (1)
orangescrum/orangescrum 1.8.0
Published Dec 23, 2025
Tracked Since Feb 18, 2026