{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-0164", "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "assignerShortName": "Fluid Attacks", "dateUpdated": "2025-04-03T19:29:49.136Z", "dateReserved": "2023-01-10T00:00:00.000Z", "datePublished": "2023-01-18T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "shortName": "Fluid Attacks", "dateUpdated": "2023-01-18T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "OrangeScrum version 2.0.11 allows an authenticated external attacker to execute arbitrary commands on the server. This is possible because the application injects an attacker-controlled parameter into a system function."}], "affected": [{"vendor": "n/a", "product": "OrangeScrum", "versions": [{"version": "2.0.11", "status": "affected"}]}], "references": [{"url": "https://fluidattacks.com/advisories/queen/"}, {"url": "https://github.com/Orangescrum/orangescrum"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "OS Command Injection"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:02:44.047Z"}, "title": "CVE Program Container", "references": [{"url": "https://fluidattacks.com/advisories/queen/", "tags": ["x_transferred"]}, {"url": "https://github.com/Orangescrum/orangescrum", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-78", "lang": "en", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-04-02T17:46:06.290414Z", "id": "CVE-2023-0164", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-03T19:29:49.136Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://fluidattacks.com/advisories/queen/", "tags": ["x_transferred"]}, {"url": "https://github.com/Orangescrum/orangescrum", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:02:44.047Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-0164", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-02T17:46:06.290414Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-02T17:46:41.588Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "OrangeScrum", "versions": [{"status": "affected", "version": "2.0.11"}]}], "references": [{"url": "https://fluidattacks.com/advisories/queen/"}, {"url": "https://github.com/Orangescrum/orangescrum"}], "descriptions": [{"lang": "en", "value": "OrangeScrum version 2.0.11 allows an authenticated external attacker to execute arbitrary commands on the server. This is possible because the application injects an attacker-controlled parameter into a system function."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "OS Command Injection"}]}], "providerMetadata": {"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "shortName": "Fluid Attacks", "dateUpdated": "2023-01-18T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2023-0164", "state": "PUBLISHED", "dateUpdated": "2025-04-03T19:29:49.136Z", "dateReserved": "2023-01-10T00:00:00.000Z", "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "datePublished": "2023-01-18T00:00:00.000Z", "assignerShortName": "Fluid Attacks"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:orangescrum:orangescrum:2.0.11:*:*:*:*:*:*:*", "matchCriteriaId": "563467F2-799D-404D-89D2-A6B5B6092614", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OrangeScrum version 2.0.11 allows an authenticated external attacker to execute arbitrary commands on the server. This is possible because the application injects an attacker-controlled parameter into a system function."}, {"lang": "es", "value": "OrangeScrum versi\u00f3n 2.0.11 permite que un atacante externo autenticado ejecute comandos arbitrarios en el servidor. Esto es posible porque la aplicaci\u00f3n inyecta un par\u00e1metro controlado por el atacante en una funci\u00f3n del sistema."}], "id": "CVE-2023-0164", "lastModified": "2025-04-03T20:15:19.967", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2023-01-18T22:15:10.597", "references": [{"source": "help@fluidattacks.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://fluidattacks.com/advisories/queen/"}, {"source": "help@fluidattacks.com", "tags": ["Product", "Third Party Advisory"], "url": "https://github.com/Orangescrum/orangescrum"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://fluidattacks.com/advisories/queen/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product", "Third Party Advisory"], "url": "https://github.com/Orangescrum/orangescrum"}], "sourceIdentifier": "help@fluidattacks.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}