CVE-2023-33829

MEDIUM

Cloudogu GmbH SCM Manager <1.60 - XSS

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2023-33829. PoCs published by neg0x, P4x1s, n3gox.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in SCM Manager versions 1.2 to 1.60. It authenticates with provided credentials and creates a user, group, and repository with XSS payloads in their display names or descriptions.

Description

A stored cross-site scripting (XSS) vulnerability in Cloudogu GmbH SCM Manager v1.2 to v1.60 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description text field.

Exploits (5)

exploitdb WORKING POC
by neg0x · pythonwebappsmultiple
https://www.exploit-db.com/exploits/51488

This exploit demonstrates a stored XSS vulnerability in SCM Manager versions 1.2 to 1.60. It authenticates with provided credentials and creates a user, group, and repository with XSS payloads in their display names or descriptions.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: SCM Manager 1.2 to 1.60
Auth required
Prerequisites: Valid credentials for an admin or user with write permissions · Access to the SCM Manager web interface
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by P4x1s · poc
https://github.com/P4x1s/CVE-2023-33829-POC

This PoC demonstrates a stored XSS vulnerability in SCM Manager by creating users, groups, and repositories with malicious payloads in their display names or descriptions. It authenticates with provided credentials and sends crafted JSON requests to trigger the XSS.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: SCM Manager (version not specified)
Auth required
Prerequisites: Valid credentials for an admin or user with write permissions · Access to the SCM Manager API
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by n3gox · poc
https://github.com/n3gox/CVE-2023-33829

This PoC demonstrates a stored XSS vulnerability in SCM Manager versions 1.2 to 1.60. It authenticates with provided credentials and creates a user, group, and repository with XSS payloads in vulnerable fields (displayName, description).

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: SCM Manager 1.2 <= 1.60
Auth required
Prerequisites: Valid credentials with write permissions · Access to the SCM Manager instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
inthewild WORKING POC
poc
https://github.com/ckevens/cve-2023-33829-poc

This repository contains a functional Python script that exploits CVE-2023-33829, a stored XSS vulnerability in SCM Manager. The PoC authenticates with admin credentials and creates users, groups, and repositories with malicious XSS payloads in their metadata fields.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: SCM Manager
Auth required
Prerequisites: admin or write-permission user credentials · access to SCM Manager API
devstral-2 · analyzed Feb 23, 2026 Full analysis →
inthewild WORKING POC
poc
https://github.com/3yujw7njai/cve-2023-33829-poc

This repository contains a functional Python script that exploits CVE-2023-33829, a stored XSS vulnerability in SCM Manager. The exploit authenticates with provided credentials and creates users, groups, and repositories with XSS payloads in their display names or descriptions.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: SCM Manager
Auth required
Prerequisites: valid admin or write-permission user credentials · access to the SCM Manager instance
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 5.4
EPSS 0.0249
EPSS Percentile 85.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
cloudogu/scm_manager 1.2 - 1.60
Published May 24, 2023
Tracked Since Feb 18, 2026