VYPR

Orangehrm

by Orangehrm

Source repositories

CVEs (31)

  • CVE-2022-27109Apr 6, 2022
    risk 0.00cvss epss 0.00

    OrangeHRM 4.10 suffers from a Referer header injection redirect vulnerability.

  • CVE-2022-27108Apr 6, 2022
    risk 0.00cvss epss 0.01

    OrangeHRM 4.10 is vulnerable to Insecure Direct Object Reference (IDOR) via the end point symfony/web/index.php/time/createTimesheet`. Any user can create a timesheet in another user's account.

  • CVE-2022-27107Apr 6, 2022
    risk 0.00cvss epss 0.00

    OrangeHRM 4.10 is vulnerable to Stored XSS in the "Share Video" section under "OrangeBuzz" via the GET/POST "createVideo[linkAddress]" parameter

  • CVE-2021-28399Apr 26, 2021
    risk 0.00cvss epss 0.01

    OrangeHRM 4.7 allows an unauthenticated user to enumerate the valid username and email address via the forgot password function.

  • CVE-2020-29437Jan 5, 2021
    risk 0.00cvss epss 0.02

    SQL injection in the Buzz module of OrangeHRM through 4.6 allows remote authenticated attackers to execute arbitrary SQL commands via the orangehrmBuzzPlugin/lib/dao/BuzzDao.php loadMorePostsForm[profileUserId] parameter to the buzz/loadMoreProfile endpoint.

  • CVE-2013-1353Feb 10, 2020
    risk 0.00cvss epss 0.01

    Orange HRM 2.7.1 allows XSS via the vacancy name.

  • CVE-2019-12839Jun 15, 2019
    risk 0.00cvss epss 0.05

    In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.

  • CVE-2014-100021Jan 13, 2015
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in symfony/web/index.php/pim/viewEmployeeList in OrangeHRM before 3.1.2 allows remote attackers to inject arbitrary web script or HTML via the empsearch[employee_name][empId] parameter.

  • CVE-2011-3766Sep 24, 2011
    risk 0.00cvss epss 0.01

    OrangeHRM 2.6.0.2 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by themes/orange/menu/Menu.php and certain other files.

  • CVE-2007-5931Nov 10, 2007
    risk 0.00cvss epss 0.01

    The reDirect function in lib/controllers/RepViewController.php in OrangeHRM before 2.2.2 does not verify the privileges of a user, which allows remote attackers to obtain access to data via unspecified vectors. NOTE: the provenance of this information is unknown; the details…

  • CVE-2007-1193Mar 2, 2007
    risk 0.00cvss epss 0.01

    Multiple unspecified vulnerabilities in the Login page in OrangeHRM before 20070212 have unknown impact and attack vectors.

Page 2 of 2