CVE-2023-0454

Name of the Vulnerable Software and Affected Versions OrangeScrum version 2.0.11

Description The issue allows an authenticated external attacker to delete arbitrary local files from the server. This is possible because the application uses an unsanitized attacker-controlled parameter to construct an internal path.

Recommendations For OrangeScrum version 2.0.11, consider restricting access to the parameter that is used to construct the internal path until a patch is available. As a temporary workaround, limit the privileges of authenticated users to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.