RSS   Podatności dla 'Orangehrm'   RSS

2022-05-20
 
CVE-2022-28985

CWE-79
 

 
A stored cross-site scripting (XSS) vulnerability in the addNewPost component of OrangeHRM v4.10.1 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request.

 
2022-04-06
 
CVE-2022-27107

CWE-79
 

 
OrangeHRM 4.10 is vulnerable to Stored XSS in the "Share Video" section under "OrangeBuzz" via the GET/POST "createVideo[linkAddress]" parameter

 
 
CVE-2022-27108

CWE-639
 

 
OrangeHRM 4.10 is vulnerable to Insecure Direct Object Reference (IDOR) via the end point symfony/web/index.php/time/createTimesheet`. Any user can create a timesheet in another user's account.

 
 
CVE-2022-27109

CWE-601
 

 
OrangeHRM 4.10 suffers from a Referer header injection redirect vulnerability.

 
 
CVE-2022-27110

CWE-601
 

 
OrangeHRM 4.10 is vulnerable to a Host header injection redirect via viewPersonalDetails endpoint.

 
2021-01-05
 
CVE-2020-29437

CWE-89
 

 
SQL injection in the Buzz module of OrangeHRM through 4.6 allows remote authenticated attackers to execute arbitrary SQL commands via the orangehrmBuzzPlugin/lib/dao/BuzzDao.php loadMorePostsForm[profileUserId] parameter to the buzz/loadMoreProfile endpoint.

 
2020-02-10
 
CVE-2013-1353

CWE-79
 

 
Orange HRM 2.7.1 allows XSS via the vacancy name.

 
2019-06-15
 
CVE-2019-12839

CWE-77
 

 
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.

 
2015-01-13
 
CVE-2014-100021

CWE-79
 

 
Cross-site scripting (XSS) vulnerability in symfony/web/index.php/pim/viewEmployeeList in OrangeHRM before 3.1.2 allows remote attackers to inject arbitrary web script or HTML via the empsearch[employee_name][empId] parameter.

 
2014-09-17
 
CVE-2012-1507

CWE-79
 

 
Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to plugins/ajaxCalls/haltResumeHsp.php, (2) sortOrder1 parameter to templates/hrfunct/emppop.php, or (3) uri parameter to index.php.

 


Copyright 2024, cxsecurity.com

 

Back to Top