CVE-2024-48392

MEDIUM

Orangescrum - XSS

Title source: rule

Description

OrangeScrum v2.0.11 is vulnerable to Cross Site Scripting (XSS). An attacker can inject malicious JavaScript code into user email due to lack of input validation, which could lead to account takeover.

Exploits (1)

nomisec WRITEUP

by Renzusclarke · poc

https://github.com/Renzusclarke/CVE-2024-48392-PoC

View Code ZIP pw:eip

References (3)

[Exploit] https://github.com/Renzusclarke/CVE-2024-48392-PoC

[Exploit] https://github.com/Renzusclarke/CVE-2024-48392-PoC/blob/main/poc.txt

[Product] https://www.orangescrum.com/

Scores

CVSS v3 5.4

EPSS 0.0034

EPSS Percentile 56.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

orangescrum/orangescrum 2.0.11

Published Jan 21, 2025

Tracked Since Feb 18, 2026