CVE-2023-1783 MEDIUM

CVE-2023-1783: OrangeScrum 2.0.11 - AWS Credentials Leak via PDF Rendering

Vendor Orangescrum
Product Orangescrum
Weakness CWE-79 · XSS
Published June 23, 2023
Last update November 27, 2024

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

OrangeScrum version 2.0.11 allows an external attacker to remotely obtain AWS instance credentials. This is possible because the application does not properly validate the HTML content to be converted to PDF.

Key dates

02Disclosure timeline

June 23, 2023 CVE published
November 27, 2024 Record updated