Vulnerabilities > Orangehrm

DATE CVE VULNERABILITY TITLE RISK
2022-05-20 CVE-2022-28985 Cross-site Scripting vulnerability in Orangehrm 4.10.1
A stored cross-site scripting (XSS) vulnerability in the addNewPost component of OrangeHRM v4.10.1 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request.
network
low complexity
orangehrm CWE-79
5.4
5.4
2022-04-06 CVE-2022-27107 Cross-site Scripting vulnerability in Orangehrm 4.10
OrangeHRM 4.10 is vulnerable to Stored XSS in the "Share Video" section under "OrangeBuzz" via the GET/POST "createVideo[linkAddress]" parameter
network
low complexity
orangehrm CWE-79
5.4
5.4
2022-04-06 CVE-2022-27108 Authorization Bypass Through User-Controlled Key vulnerability in Orangehrm 4.10
OrangeHRM 4.10 is vulnerable to Insecure Direct Object Reference (IDOR) via the end point symfony/web/index.php/time/createTimesheet`.
network
low complexity
orangehrm CWE-639
4.3
4.3
2022-04-06 CVE-2022-27109 Open Redirect vulnerability in Orangehrm 4.10
OrangeHRM 4.10 suffers from a Referer header injection redirect vulnerability.
network
low complexity
orangehrm CWE-601
5.4
5.4
2022-04-06 CVE-2022-27110 Open Redirect vulnerability in Orangehrm 4.10
OrangeHRM 4.10 is vulnerable to a Host header injection redirect via viewPersonalDetails endpoint.
network
low complexity
orangehrm CWE-601
5.4
5.4
2021-04-26 CVE-2021-28399 Unspecified vulnerability in Orangehrm 4.7
OrangeHRM 4.7 allows an unauthenticated user to enumerate the valid username and email address via the forgot password function.
network
low complexity
orangehrm
5.3
5.3
2021-01-05 CVE-2020-29437 SQL Injection vulnerability in Orangehrm
SQL injection in the Buzz module of OrangeHRM through 4.6 allows remote authenticated attackers to execute arbitrary SQL commands via the orangehrmBuzzPlugin/lib/dao/BuzzDao.php loadMorePostsForm[profileUserId] parameter to the buzz/loadMoreProfile endpoint.
network
low complexity
orangehrm CWE-89
8.1
8.1
2020-02-10 CVE-2013-1353 Cross-site Scripting vulnerability in Orangehrm 2.7.1
Orange HRM 2.7.1 allows XSS via the vacancy name.
network
low complexity
orangehrm CWE-79
5.4
5.4
2019-06-15 CVE-2019-12839 OS Command Injection vulnerability in Orangehrm
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
network
low complexity
orangehrm CWE-78
8.8
8.8