Orangescrum 1.8.0 Privilege Escalation

2021.11.30
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-264

# Exploit Title: orangescrum 1.8.0 - Privilege escalation (Authenticated) # Date: 07/10/2021 # Exploit Author: Hubert Wojciechowski # Contact Author: snup.php@gmail.com # Company: https://redteam.pl # Vendor Homepage: https://www.orangescrum.org/ # Software Link: https://www.orangescrum.org/ # Version: 1.8.0 # Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ### Privilege escalation # The user must be assigned to the project with the account he wants to take over # The vulnerabilities in the application allow for: * Taking over any account with which the project is assigned ----------------------------------------------------------------------------------------------------------------------- # POC ----------------------------------------------------------------------------------------------------------------------- ## Example 1. Go to the dashboard 2. Go to the page source view 3. Find in source "var PUSERS" 4. Copy "uniq_id" victim 5. Change cookie "USER_UNIQ" to "USER_UNIQ" victim from page source 6. After refreshing the page, you are logged in to the victim's account


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top