Orangescrum 1.8.0 Authenticated Privilege Escalation via User Session Manipulation Severity High Date December 23, 2025 Affecting Orangescrum 1.8.0 Identifiers CVE-2021-47721 CWE CWE-639 Authorization Bypass Through User-Controlled Key CVSS Score 8.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N References ExploitDB-50551 Official Product Homepage Credit Hubert Wojciechowski Description Orangescrum 1.8.0 contains a privilege escalation vulnerability that allows authenticated users to take over other project-assigned accounts by manipulating session cookies. Attackers can extract the victim's unique ID from the page source and replace their own session cookie to gain unauthorized access to another user's account.