orangescrum CVE Vulnerabilities & Metrics

Focus on orangescrum vulnerabilities and metrics.

Last updated: 25 Nov 2025, 23:25 UTC

About orangescrum Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with orangescrum. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total orangescrum CVEs: 6
Earliest CVE date: 18 Jan 2023, 22:15 UTC
Latest CVE date: 21 Jan 2025, 21:15 UTC

Latest CVE reference: CVE-2024-48392

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical orangescrum CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 0.0

Max CVSS: 0

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	6
4.0-6.9	0
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS orangescrum CVEs

These are the five CVEs with the highest CVSS scores for orangescrum, sorted by severity first and recency.

CVE-2024-48392 orangescrum Published on 21 Jan 2025, 21:15 UTC (CVSS: 0)
OrangeScrum v2.0.11 is vulnerable to Cross Site Scripting (XSS). An attacker can inject malicious JavaScript code into user email due to lack of input validation, which could lead to account takeover.
CVE-2023-1783 orangescrum Published on 23 Jun 2023, 22:15 UTC (CVSS: 0)
OrangeScrum version 2.0.11 allows an external attacker to remotely obtain AWS instance credentials. This is possible because the application does not properly validate the HTML content to be converted to PDF.
CVE-2023-0738 orangescrum Published on 04 Apr 2023, 23:15 UTC (CVSS: 0)
OrangeScrum version 2.0.11 allows an external attacker to obtain arbitrary user accounts from the application. This is possible because the application returns malicious user input in the response with the content-type set to text/html.
CVE-2023-0624 orangescrum Published on 09 Feb 2023, 16:15 UTC (CVSS: 0)
OrangeScrum version 2.0.11 allows an external attacker to obtain arbitrary user accounts from the application. This is possible because the application returns malicious user input in the response with the content-type set to text/html.
CVE-2023-0454 orangescrum Published on 01 Feb 2023, 03:15 UTC (CVSS: 0)
OrangeScrum version 2.0.11 allows an authenticated external attacker to delete arbitrary local files from the server. This is possible because the application uses an unsanitized attacker-controlled parameter to construct an internal path.

All CVEs for orangescrum

CVE-2024-48392 orangescrum vulnerability CVSS: 0 21 Jan 2025, 21:15 UTC

OrangeScrum v2.0.11 is vulnerable to Cross Site Scripting (XSS). An attacker can inject malicious JavaScript code into user email due to lack of input validation, which could lead to account takeover.

CVE-2023-1783 orangescrum vulnerability CVSS: 0 23 Jun 2023, 22:15 UTC

OrangeScrum version 2.0.11 allows an external attacker to remotely obtain AWS instance credentials. This is possible because the application does not properly validate the HTML content to be converted to PDF.

CVE-2023-0738 orangescrum vulnerability CVSS: 0 04 Apr 2023, 23:15 UTC

OrangeScrum version 2.0.11 allows an external attacker to obtain arbitrary user accounts from the application. This is possible because the application returns malicious user input in the response with the content-type set to text/html.

CVE-2023-0624 orangescrum vulnerability CVSS: 0 09 Feb 2023, 16:15 UTC

CVE-2023-0454 orangescrum vulnerability CVSS: 0 01 Feb 2023, 03:15 UTC

OrangeScrum version 2.0.11 allows an authenticated external attacker to delete arbitrary local files from the server. This is possible because the application uses an unsanitized attacker-controlled parameter to construct an internal path.

CVE-2023-0164 orangescrum vulnerability CVSS: 0 18 Jan 2023, 22:15 UTC

OrangeScrum version 2.0.11 allows an authenticated external attacker to execute arbitrary commands on the server. This is possible because the application injects an attacker-controlled parameter into a system function.