# Exploit Title: orangescrum 1.8.0 - Privilege escalation (Authenticated) # Date: 07/10/2021 # Exploit Author: Hubert Wojciechowski # Contact Author: snup.php@gmail.com # Company: https://redteam.pl # Vendor Homepage: https://www.orangescrum.org/ # Software Link: https://www.orangescrum.org/ # Version: 1.8.0 # Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ### Privilege escalation # The user must be assigned to the project with the account he wants to take over # The vulnerabilities in the application allow for: * Taking over any account with which the project is assigned ----------------------------------------------------------------------------------------------------------------------- # POC ----------------------------------------------------------------------------------------------------------------------- ## Example 1. Go to the dashboard 2. Go to the page source view 3. Find in source "var PUSERS" 4. Copy "uniq_id" victim 5. Change cookie "USER_UNIQ" to "USER_UNIQ" victim from page source 6. After refreshing the page, you are logged in to the victim's account