← back
CVE-2023-1783

OrangeScrum 2.0.11 - AWS Credentials Leak via PDF Rendering

CVSS 6.5 MEDIUMEPSS 0.6%CWE-79
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.5EPSS 0.6%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
23 Jun 2023Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
OrangeScrum version 2.0.11 allows an external attacker to remotely obtain AWS instance credentials. This is possible because the application does not properly validate the HTML content to be converted to PDF.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected products
Orangescrum · Orangescrum

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://fluidattacks.com/advisories/stirling/https://github.com/Orangescrum/orangescrum/