Primary

Context

iceScrum Zip Slip Vulnerability in Project Import Component Allowing Arbitrary Code Execution

Vulnerability

A Zip Slip vulnerability has been identified in the project import feature of iceScrum version 7.54 Pro On-prem. This vulnerability allows attackers to execute arbitrary code by uploading a specially crafted Zip file. The issue arises because the application does not properly sanitize file paths when extracting user-supplied project archives, such as ZIP files. Exploitation of this vulnerability could lead to writing arbitrary files on the server filesystem, with the potential for remote code execution, configuration tampering, service disruption, or data exfiltration.

Impact

Exploitation of this vulnerability could result in arbitrary code execution on the server.

Remediation

Users should apply security patches or disable the import feature until the vulnerability is patched.

Added: Dec 15, 2025, 4:20 PM

Updated: Dec 15, 2025, 6:34 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

6.6

remediation

0.0

relevance

1.4

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

6.6

remediation

0.0

relevance

1.4

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

iceScrum Zip Slip Vulnerability in Project Import Component Allowing Arbitrary Code Execution

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating