Unrated severityNVD Advisory· Published Dec 3, 2012· Updated Apr 29, 2026

CVE-2012-5367

Description

Multiple SQL injection vulnerabilities in OrangeHRM 2.7.1 RC 1 allow remote authenticated administrators to execute arbitrary SQL commands via the sortField parameter to (1) viewCustomers, (2) viewPayGrades, or (3) viewSystemUsers in symfony/web/index.php/admin/, as demonstrated using cross-site request forgery (CSRF) attacks.

Affected products

Orangehrm/Orangehrm
cpe:2.3:a:orangehrm:orangehrm:2.7.1:rc1:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

archives.neohapsis.com/archives/bugtraq/2012-11/0029.htmlnvdExploit
www.securityfocus.com/bid/56417nvdExploit
www.htbridge.com/advisory/HTB23119nvdExploit
osvdb.org/86858nvd
packetstormsecurity.org/files/117925/OrangeHRM-2.7.1-rc.1-Cross-Site-Request-Forgery-SQL-Injection.htmlnvd
exchange.xforce.ibmcloud.com/vulnerabilities/79833nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000