Orangescrum 1.8.0 Authenticated Privilege Escalation via User Session Manipulation

Advisories

severity: high
date: December 23, 2025
Affecting: orangescrum 1.8.0
CVE: CVE-2021-47721
CWE: CWE-639 Authorization Bypass Through User-Controlled Key
CVSS: 8.7
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: ExploitDB-50551
Official Product Homepage
Credit: Hubert Wojciechowski
Description: Orangescrum 1.8.0 contains a privilege escalation vulnerability that allows authenticated users to take over other project-assigned accounts by manipulating session cookies. Attackers can extract the victim's unique ID from the page source and replace their own session cookie to gain unauthorized access to another user's account.