{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-0164", "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "assignerShortName": "Fluid Attacks", "dateUpdated": "2024-08-02T05:02:44.047Z", "dateReserved": "2023-01-10T00:00:00", "datePublished": "2023-01-18T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "shortName": "Fluid Attacks", "dateUpdated": "2023-01-18T00:00:00"}, "descriptions": [{"lang": "en", "value": "OrangeScrum version 2.0.11 allows an authenticated external attacker to execute arbitrary commands on the server. This is possible because the application injects an attacker-controlled parameter into a system function."}], "affected": [{"vendor": "n/a", "product": "OrangeScrum", "versions": [{"version": "2.0.11", "status": "affected"}]}], "references": [{"url": "https://fluidattacks.com/advisories/queen/"}, {"url": "https://github.com/Orangescrum/orangescrum"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "OS Command Injection"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:02:44.047Z"}, "title": "CVE Program Container", "references": [{"url": "https://fluidattacks.com/advisories/queen/", "tags": ["x_transferred"]}, {"url": "https://github.com/Orangescrum/orangescrum", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:orangescrum:orangescrum:2.0.11:*:*:*:*:*:*:*", "matchCriteriaId": "563467F2-799D-404D-89D2-A6B5B6092614", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OrangeScrum version 2.0.11 allows an authenticated external attacker to execute arbitrary commands on the server. This is possible because the application injects an attacker-controlled parameter into a system function."}, {"lang": "es", "value": "OrangeScrum versi\u00f3n 2.0.11 permite que un atacante externo autenticado ejecute comandos arbitrarios en el servidor. Esto es posible porque la aplicaci\u00f3n inyecta un par\u00e1metro controlado por el atacante en una funci\u00f3n del sistema."}], "id": "CVE-2023-0164", "lastModified": "2023-01-28T03:37:57.693", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-01-18T22:15:10.597", "references": [{"source": "help@fluidattacks.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://fluidattacks.com/advisories/queen/"}, {"source": "help@fluidattacks.com", "tags": ["Product", "Third Party Advisory"], "url": "https://github.com/Orangescrum/orangescrum"}], "sourceIdentifier": "help@fluidattacks.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}