### Key Information #### CVE Information - **CVE ID:** CVE-2025-60785 - **Severity:** High - **CVSS v3.1:** 8.8 - **Affected Vendor:** IceScrum - **Affected Product:** IceScrum - **Vulnerability Type:** Remote Code Execution #### Vulnerability Details The `testDbConnection` HTTP endpoint accepts a user-supplied JDBC connection string. When a vulnerable PostgreSQL JDBC driver is present, crafted JDBC strings can trigger remote code execution on the server. Lack of CSRF protections allows an attacker to coerce an authenticated user into submitting a malicious JDBC string, leading to server-side remote code execution. #### Proof of Concept - The exploit POC can be found in: [POC.py](POC.py) #### Affected Versions - This vulnerability affects IceScrum versions ≤ 7.5.4. Security patches should be applied immediately. #### References - [CVE.ORG](https://cve.org)