RSS   Vulnerabilities for 'Orangehrm'   RSS

2021-01-05
 
CVE-2020-29437

CWE-89
 

 
SQL injection in the Buzz module of OrangeHRM through 4.6 allows remote authenticated attackers to execute arbitrary SQL commands via the orangehrmBuzzPlugin/lib/dao/BuzzDao.php loadMorePostsForm[profileUserId] parameter to the buzz/loadMoreProfile endpoint.

 
2020-02-10
 
CVE-2013-1353

CWE-79
 

 
Orange HRM 2.7.1 allows XSS via the vacancy name.

 
2019-06-15
 
CVE-2019-12839

CWE-77
 

 
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.

 
2015-01-13
 
CVE-2014-100021

CWE-79
 

 
Cross-site scripting (XSS) vulnerability in symfony/web/index.php/pim/viewEmployeeList in OrangeHRM before 3.1.2 allows remote attackers to inject arbitrary web script or HTML via the empsearch[employee_name][empId] parameter.

 
2014-09-17
 
CVE-2012-1507

CWE-79
 

 
Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to plugins/ajaxCalls/haltResumeHsp.php, (2) sortOrder1 parameter to templates/hrfunct/emppop.php, or (3) uri parameter to index.php.

 
 
CVE-2012-1506

CWE-89
 

 
SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the hspSummaryId parameter to plugins/ajaxCalls/haltResumeHsp.php. NOTE: some of these details are obtained from third party information.

 
2013-02-12
 
CVE-2011-5259

CWE-89
 

 
SQL injection vulnerability in lib/controllers/CentralController.php in OrangeHRM before 2.6.11.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.

 
 
CVE-2011-5258

CWE-79
 

 
Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.6.11.2 allow remote attackers to inject arbitrary web script or HTML via the (1) uniqcode or (2) isAdmin parameter to index.php; or the (3) PATH_INFO to lib/controllers/centralcontroller.php.

 
2012-12-03
 
CVE-2012-5367

CWE-89
 

 
Multiple SQL injection vulnerabilities in OrangeHRM 2.7.1 RC 1 allow remote authenticated administrators to execute arbitrary SQL commands via the sortField parameter to (1) viewCustomers, (2) viewPayGrades, or (3) viewSystemUsers in symfony/web/index.php/admin/, as demonstrated using cross-site request forgery (CSRF) attacks.

 
2011-09-23
 
CVE-2011-3766

CWE-200
 

 
OrangeHRM 2.6.0.2 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by themes/orange/menu/Menu.php and certain other files.

 


Copyright 2021, cxsecurity.com

 

Back to Top