OrangeHRM is Vulnerable to Code Execution Through Arbitrary File Write from Sendmail Parameter Injection

Vulnerability

OrangeHRM versions 5.0 through 5.7 contain an input-neutralization flaw in the mail configuration and delivery workflow. User-controlled values are passed unsanitized into the system's sendmail command, allowing injection of sendmail parameters. This enables the application to write files on the server during email processing. The issue is described in the advisory [1].

Exploitation

An attacker with administrative access to the mail configuration settings can inject sendmail parameters such as -O or -X to write arbitrary content to a file. The attacker must be able to trigger email sending (e.g., by creating a user or event that sends a notification). The unsanitized input flows directly into the OS-level command string, allowing the attacker to control the file path and content.

Impact

Successful exploitation allows the attacker to write arbitrary files to the server. If the file is written to a web-accessible directory, the attacker can achieve remote code execution by writing a PHP file (or other executable content) and accessing it via the web server. This results in full compromise of the application and server.

Mitigation

The issue has been patched in OrangeHRM version 5.8 [1]. Users should upgrade to version 5.8 or later. No workarounds are mentioned in the available references. The vulnerability is not listed on CISA's KEV as of the publication date.