Orangehrm
Monthly
OrangeHRM 5.0 through 5.8 uses AES encryption in ECB mode for sensitive fields, allowing attackers with high-level privileges to infer patterns in encrypted data through block-aligned plaintext analysis. This cryptographic weakness does not enable direct decryption but permits pattern disclosure against stored sensitive information, classified as information disclosure with low confidentiality impact. The vulnerability is fixed in version 5.8.1, and exploitation requires network access, high administrative privileges, and specific timing conditions that make real-world exploitation unlikely despite the remotely accessible attack vector.
OrangeHRM 5.0 through 5.8 allows authenticated low-privilege users to bypass authorization controls and directly access job specification and vacancy attachment files by manipulating attachment identifiers, exposing sensitive HR documents. The vulnerability affects the attachment download handlers which fail to validate user permissions before serving files. This issue is fixed in version 5.8.1.
OrangeHRM Open Source versions 5.0 through 5.8 allow high-privileged administrator users to modify self-appraisal submissions after those submissions have been marked as completed, compromising the integrity of finalized appraisal records. The vulnerability requires administrator authentication and has a CVSS score of 5.1 with low integrity impact. No public exploit code or active exploitation has been identified at the time of analysis.
OrangeHRM Open Source versions 5.0 through 5.8 allow authenticated users to bypass module access controls by submitting URL-encoded request paths, enabling unauthorized access to administrator-disabled functionality. The vulnerability requires valid user credentials but presents a moderate confidentiality and integrity risk. A vendor-released patch is available in version 5.8.1.
OrangeHRM Open Source 5.0 through 5.8 allows authenticated users with high privileges to read arbitrary local files by manipulating email template file paths, bypassing the intended plugin directory restriction. The vulnerability requires high-privilege credentials and manual path influence but enables confidential file disclosure. Vendor has released patch version 5.8.1; no public exploit code or active exploitation is confirmed.
OrangeHRM is a comprehensive human resource management (HRM) system. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.
OrangeHRM is a comprehensive human resource management (HRM) system. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
OrangeHRM is a comprehensive human resource management (HRM) system. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
OrangeHRM is a comprehensive human resource management (HRM) system. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
OrangeHRM is a comprehensive human resource management (HRM) system. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An issue in OrangeHRM v.5.7 allows an attacker to escalate privileges via UserService.php and the checkForOldHash function. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
OrangeHRM 3.3.3 allows admin/viewProjects sortOrder SQL injection. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A stored cross-site scripting (XSS) vulnerability in the addNewPost component of OrangeHRM v4.10.1 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
OrangeHRM 4.10 is vulnerable to a Host header injection redirect via viewPersonalDetails endpoint. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
OrangeHRM 4.10 suffers from a Referer header injection redirect vulnerability. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
OrangeHRM 4.10 is vulnerable to Insecure Direct Object Reference (IDOR) via the end point symfony/web/index.php/time/createTimesheet`. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
OrangeHRM 4.10 is vulnerable to Stored XSS in the "Share Video" section under "OrangeBuzz" via the GET/POST "createVideo[linkAddress]" parameter. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
OrangeHRM 4.7 allows an unauthenticated user to enumerate the valid username and email address via the forgot password function. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Cross-site scripting (XSS) vulnerability in symfony/web/index.php/pim/viewEmployeeList in OrangeHRM before 3.1.2 allows remote attackers to inject arbitrary web script or HTML via the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.
Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.
SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Multiple SQL injection vulnerabilities in OrangeHRM 2.7.1 RC 1 allow remote authenticated administrators to execute arbitrary SQL commands via the sortField parameter to (1) viewCustomers, (2). Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
OrangeHRM 5.0 through 5.8 uses AES encryption in ECB mode for sensitive fields, allowing attackers with high-level privileges to infer patterns in encrypted data through block-aligned plaintext analysis. This cryptographic weakness does not enable direct decryption but permits pattern disclosure against stored sensitive information, classified as information disclosure with low confidentiality impact. The vulnerability is fixed in version 5.8.1, and exploitation requires network access, high administrative privileges, and specific timing conditions that make real-world exploitation unlikely despite the remotely accessible attack vector.
OrangeHRM 5.0 through 5.8 allows authenticated low-privilege users to bypass authorization controls and directly access job specification and vacancy attachment files by manipulating attachment identifiers, exposing sensitive HR documents. The vulnerability affects the attachment download handlers which fail to validate user permissions before serving files. This issue is fixed in version 5.8.1.
OrangeHRM Open Source versions 5.0 through 5.8 allow high-privileged administrator users to modify self-appraisal submissions after those submissions have been marked as completed, compromising the integrity of finalized appraisal records. The vulnerability requires administrator authentication and has a CVSS score of 5.1 with low integrity impact. No public exploit code or active exploitation has been identified at the time of analysis.
OrangeHRM Open Source versions 5.0 through 5.8 allow authenticated users to bypass module access controls by submitting URL-encoded request paths, enabling unauthorized access to administrator-disabled functionality. The vulnerability requires valid user credentials but presents a moderate confidentiality and integrity risk. A vendor-released patch is available in version 5.8.1.
OrangeHRM Open Source 5.0 through 5.8 allows authenticated users with high privileges to read arbitrary local files by manipulating email template file paths, bypassing the intended plugin directory restriction. The vulnerability requires high-privilege credentials and manual path influence but enables confidential file disclosure. Vendor has released patch version 5.8.1; no public exploit code or active exploitation is confirmed.
OrangeHRM is a comprehensive human resource management (HRM) system. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.
OrangeHRM is a comprehensive human resource management (HRM) system. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
OrangeHRM is a comprehensive human resource management (HRM) system. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
OrangeHRM is a comprehensive human resource management (HRM) system. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
OrangeHRM is a comprehensive human resource management (HRM) system. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An issue in OrangeHRM v.5.7 allows an attacker to escalate privileges via UserService.php and the checkForOldHash function. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
OrangeHRM 3.3.3 allows admin/viewProjects sortOrder SQL injection. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A stored cross-site scripting (XSS) vulnerability in the addNewPost component of OrangeHRM v4.10.1 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
OrangeHRM 4.10 is vulnerable to a Host header injection redirect via viewPersonalDetails endpoint. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
OrangeHRM 4.10 suffers from a Referer header injection redirect vulnerability. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
OrangeHRM 4.10 is vulnerable to Insecure Direct Object Reference (IDOR) via the end point symfony/web/index.php/time/createTimesheet`. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
OrangeHRM 4.10 is vulnerable to Stored XSS in the "Share Video" section under "OrangeBuzz" via the GET/POST "createVideo[linkAddress]" parameter. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
OrangeHRM 4.7 allows an unauthenticated user to enumerate the valid username and email address via the forgot password function. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Cross-site scripting (XSS) vulnerability in symfony/web/index.php/pim/viewEmployeeList in OrangeHRM before 3.1.2 allows remote attackers to inject arbitrary web script or HTML via the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.
Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.
SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Multiple SQL injection vulnerabilities in OrangeHRM 2.7.1 RC 1 allow remote authenticated administrators to execute arbitrary SQL commands via the sortField parameter to (1) viewCustomers, (2). Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.