Unrated severityNVD Advisory· Published Sep 17, 2014· Updated May 6, 2026
CVE-2012-1507
CVE-2012-1507
Description
Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to plugins/ajaxCalls/haltResumeHsp.php, (2) sortOrder1 parameter to templates/hrfunct/emppop.php, or (3) uri parameter to index.php.
Affected products
19cpe:2.3:a:orangehrm:orangehrm:*:*:*:*:*:*:*:*+ 18 more
- cpe:2.3:a:orangehrm:orangehrm:*:*:*:*:*:*:*:*range: <=2.6.12.1
- cpe:2.3:a:orangehrm:orangehrm:2.6:*:*:*:*:*:*:*
- cpe:2.3:a:orangehrm:orangehrm:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:orangehrm:orangehrm:2.6.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:orangehrm:orangehrm:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:orangehrm:orangehrm:2.6.10:*:*:*:*:*:*:*
- cpe:2.3:a:orangehrm:orangehrm:2.6.11:*:*:*:*:*:*:*
- cpe:2.3:a:orangehrm:orangehrm:2.6.11.2:*:*:*:*:*:*:*
- cpe:2.3:a:orangehrm:orangehrm:2.6.11.3:*:*:*:*:*:*:*
- cpe:2.3:a:orangehrm:orangehrm:2.6.12:*:*:*:*:*:*:*
- cpe:2.3:a:orangehrm:orangehrm:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:orangehrm:orangehrm:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:orangehrm:orangehrm:2.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:orangehrm:orangehrm:2.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:orangehrm:orangehrm:2.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:orangehrm:orangehrm:2.6.7:*:*:*:*:*:*:*
- cpe:2.3:a:orangehrm:orangehrm:2.6.8:*:*:*:*:*:*:*
- cpe:2.3:a:orangehrm:orangehrm:2.6.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:orangehrm:orangehrm:2.6.9:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- blog.orangehrm.com/2012/04/24/orangehrm-27-stable-release-with-complete-localization/nvdPatch
- www.securityfocus.com/bid/53433nvdExploit
- www.htbridge.com/advisory/HTB23080nvdExploit
- osvdb.org/81744nvd
- osvdb.org/81745nvd
- osvdb.org/81746nvd
- secunia.com/advisories/49072nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/75473nvd
News mentions
0No linked articles in our index yet.