Vulnerabilities (CVE)

Filtered by vendor Orangehrm Subscribe
Filtered by product Orangehrm
Total 19 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-28985 1 Orangehrm 1 Orangehrm 2024-11-21 3.5 LOW 6.3 MEDIUM
A stored cross-site scripting (XSS) vulnerability in the addNewPost component of OrangeHRM v4.10.1 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request.
CVE-2022-27110 1 Orangehrm 1 Orangehrm 2024-11-21 4.9 MEDIUM 5.4 MEDIUM
OrangeHRM 4.10 is vulnerable to a Host header injection redirect via viewPersonalDetails endpoint.
CVE-2022-27109 1 Orangehrm 1 Orangehrm 2024-11-21 4.9 MEDIUM 5.4 MEDIUM
OrangeHRM 4.10 suffers from a Referer header injection redirect vulnerability.
CVE-2022-27108 1 Orangehrm 1 Orangehrm 2024-11-21 4.0 MEDIUM 4.3 MEDIUM
OrangeHRM 4.10 is vulnerable to Insecure Direct Object Reference (IDOR) via the end point symfony/web/index.php/time/createTimesheet`. Any user can create a timesheet in another user's account.
CVE-2022-27107 1 Orangehrm 1 Orangehrm 2024-11-21 3.5 LOW 5.4 MEDIUM
OrangeHRM 4.10 is vulnerable to Stored XSS in the "Share Video" section under "OrangeBuzz" via the GET/POST "createVideo[linkAddress]" parameter
CVE-2021-28399 1 Orangehrm 1 Orangehrm 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
OrangeHRM 4.7 allows an unauthenticated user to enumerate the valid username and email address via the forgot password function.
CVE-2020-29437 1 Orangehrm 1 Orangehrm 2024-11-21 5.5 MEDIUM 8.1 HIGH
SQL injection in the Buzz module of OrangeHRM through 4.6 allows remote authenticated attackers to execute arbitrary SQL commands via the orangehrmBuzzPlugin/lib/dao/BuzzDao.php loadMorePostsForm[profileUserId] parameter to the buzz/loadMoreProfile endpoint.
CVE-2019-12839 1 Orangehrm 1 Orangehrm 2024-11-21 6.5 MEDIUM 8.8 HIGH
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
CVE-2014-100021 1 Orangehrm 1 Orangehrm 2024-11-21 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in symfony/web/index.php/pim/viewEmployeeList in OrangeHRM before 3.1.2 allows remote attackers to inject arbitrary web script or HTML via the empsearch[employee_name][empId] parameter.
CVE-2013-1353 1 Orangehrm 1 Orangehrm 2024-11-21 3.5 LOW 5.4 MEDIUM
Orange HRM 2.7.1 allows XSS via the vacancy name.
CVE-2012-5367 1 Orangehrm 1 Orangehrm 2024-11-21 6.0 MEDIUM N/A
Multiple SQL injection vulnerabilities in OrangeHRM 2.7.1 RC 1 allow remote authenticated administrators to execute arbitrary SQL commands via the sortField parameter to (1) viewCustomers, (2) viewPayGrades, or (3) viewSystemUsers in symfony/web/index.php/admin/, as demonstrated using cross-site request forgery (CSRF) attacks.
CVE-2012-1507 1 Orangehrm 1 Orangehrm 2024-11-21 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to plugins/ajaxCalls/haltResumeHsp.php, (2) sortOrder1 parameter to templates/hrfunct/emppop.php, or (3) uri parameter to index.php.
CVE-2012-1506 1 Orangehrm 1 Orangehrm 2024-11-21 6.5 MEDIUM N/A
SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the hspSummaryId parameter to plugins/ajaxCalls/haltResumeHsp.php. NOTE: some of these details are obtained from third party information.
CVE-2011-5259 1 Orangehrm 1 Orangehrm 2024-11-21 6.8 MEDIUM N/A
SQL injection vulnerability in lib/controllers/CentralController.php in OrangeHRM before 2.6.11.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2011-5258 1 Orangehrm 1 Orangehrm 2024-11-21 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.6.11.2 allow remote attackers to inject arbitrary web script or HTML via the (1) uniqcode or (2) isAdmin parameter to index.php; or the (3) PATH_INFO to lib/controllers/centralcontroller.php.
CVE-2011-3766 1 Orangehrm 1 Orangehrm 2024-11-21 5.0 MEDIUM N/A
OrangeHRM 2.6.0.2 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by themes/orange/menu/Menu.php and certain other files.
CVE-2010-4798 1 Orangehrm 1 Orangehrm 2024-11-21 6.8 MEDIUM N/A
Directory traversal vulnerability in index.php in OrangeHRM 2.6.0.1 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the uri parameter.
CVE-2007-5931 1 Orangehrm 1 Orangehrm 2024-11-21 5.0 MEDIUM N/A
The reDirect function in lib/controllers/RepViewController.php in OrangeHRM before 2.2.2 does not verify the privileges of a user, which allows remote attackers to obtain access to data via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2007-1193 1 Orangehrm 1 Orangehrm 2024-11-21 9.3 HIGH N/A
Multiple unspecified vulnerabilities in the Login page in OrangeHRM before 20070212 have unknown impact and attack vectors.