CVE-2024-48392

MEDIUM

OrangeScrum 2.0.11 - Stored Cross-Site Scripting via User Email Input

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-48392. PoCs published by Renzusclarke.

AI-analyzed exploit summary This repository contains a README describing a PoC for CVE-2024-48392, an XSS vulnerability in Orangescrum. No actual exploit code is provided.

Description

OrangeScrum v2.0.11 is vulnerable to Cross Site Scripting (XSS). An attacker can inject malicious JavaScript code into user email due to lack of input validation, which could lead to account takeover.

Exploits (1)

nomisec WRITEUP

by Renzusclarke · poc

https://github.com/Renzusclarke/CVE-2024-48392-PoC

View Code ZIP pw:eip

This repository contains a README describing a PoC for CVE-2024-48392, an XSS vulnerability in Orangescrum. No actual exploit code is provided.

Classification

Writeup 30%

Attack Type

Xss

Complexity

Theoretical

Reliability

Theoretical

Target: Orangescrum (self-hosted and premium versions)

No auth needed

Prerequisites: Access to a vulnerable Orangescrum instance

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit

https://github.com/Renzusclarke/CVE-2024-48392-PoC

Exploit

https://github.com/Renzusclarke/CVE-2024-48392-PoC/blob/main/poc.txt

View Exploit ZIP pw:eip

Product

https://www.orangescrum.com/

Scores

CVSS v3 5.4

EPSS 0.0078

EPSS Percentile 51.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

orangescrum/orangescrum 2.0.11

Published Jan 21, 2025

Tracked Since Feb 18, 2026