Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
OrangeHRM 4.7 allows an unauthenticated user to enumerate the valid username and email address via the forgot password function.
AnalysisAI
OrangeHRM 4.7 allows an unauthenticated user to enumerate the valid username and email address via the forgot password function. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
OrangeHRM 4.7 allows an unauthenticated user to enumerate the valid username and email address via the forgot password function. Affected products include: Orangehrm.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath pa
OrangeHRM 3.3.3 allows admin/viewProjects sortOrder SQL injection. Rated high severity (CVSS 8.1), this vulnerability is
SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows r
Multiple SQL injection vulnerabilities in OrangeHRM 2.7.1 RC 1 allow remote authenticated administrators to execute arbi
Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary w
A stored cross-site scripting (XSS) vulnerability in the addNewPost component of OrangeHRM v4.10.1 allows attackers to e
OrangeHRM 4.10 is vulnerable to a Host header injection redirect via viewPersonalDetails endpoint. Rated medium severity
OrangeHRM 4.10 suffers from a Referer header injection redirect vulnerability. Rated medium severity (CVSS 5.4), this vu
OrangeHRM 4.10 is vulnerable to Stored XSS in the "Share Video" section under "OrangeBuzz" via the GET/POST "createVideo
OrangeHRM is a comprehensive human resource management (HRM) system. Rated critical severity (CVSS 9.0), this vulnerabil
OrangeHRM is a comprehensive human resource management (HRM) system. Rated high severity (CVSS 8.7), this vulnerability
OrangeHRM is a comprehensive human resource management (HRM) system. Rated high severity (CVSS 8.7), this vulnerability
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today