CVE-2021-47721

HIGH

Orangescrum - IDOR

Title source: rule

Description

Orangescrum 1.8.0 contains a privilege escalation vulnerability that allows authenticated users to take over other project-assigned accounts by manipulating session cookies. Attackers can extract the victim's unique ID from the page source and replace their own session cookie to gain unauthorized access to another user's account.

Exploits (1)

exploitdb WORKING POC

by Hubert Wojciechowski · textwebappsmultiple

https://www.exploit-db.com/exploits/50551

View Code ZIP pw:eip

References (3)

[Exploit] https://www.exploit-db.com/exploits/50551

[Product] https://www.orangescrum.org/

[Third Party Advisory] https://www.vulncheck.com/advisories/orangescrum-authenticated-privilege-escalation-via-user-session-manipulation

Scores

CVSS v3 8.8

EPSS 0.0002

EPSS Percentile 6.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-639

Status published

Products (1)

orangescrum/orangescrum 1.8.0

Published Dec 23, 2025

Tracked Since Feb 18, 2026