Vulnerabilities > Orangehrm

DATE CVE VULNERABILITY TITLE RISK
2022-04-06 CVE-2022-27107 Cross-site Scripting vulnerability in Orangehrm 4.10
OrangeHRM 4.10 is vulnerable to Stored XSS in the "Share Video" section under "OrangeBuzz" via the GET/POST "createVideo[linkAddress]" parameter
network
orangehrm CWE-79
3.5
2022-04-06 CVE-2022-27108 Authorization Bypass Through User-Controlled Key vulnerability in Orangehrm 4.10
OrangeHRM 4.10 is vulnerable to Insecure Direct Object Reference (IDOR) via the end point symfony/web/index.php/time/createTimesheet`.
network
low complexity
orangehrm CWE-639
4.0
2022-04-06 CVE-2022-27109 Open Redirect vulnerability in Orangehrm 4.10
OrangeHRM 4.10 suffers from a Referer header injection redirect vulnerability.
network
orangehrm CWE-601
4.9
2022-04-06 CVE-2022-27110 Open Redirect vulnerability in Orangehrm 4.10
OrangeHRM 4.10 is vulnerable to a Host header injection redirect via viewPersonalDetails endpoint.
network
orangehrm CWE-601
4.9
2021-04-26 CVE-2021-28399 Unspecified vulnerability in Orangehrm 4.7
OrangeHRM 4.7 allows an unauthenticated user to enumerate the valid username and email address via the forgot password function.
network
low complexity
orangehrm
5.0
2021-01-05 CVE-2020-29437 SQL Injection vulnerability in Orangehrm
SQL injection in the Buzz module of OrangeHRM through 4.6 allows remote authenticated attackers to execute arbitrary SQL commands via the orangehrmBuzzPlugin/lib/dao/BuzzDao.php loadMorePostsForm[profileUserId] parameter to the buzz/loadMoreProfile endpoint.
network
low complexity
orangehrm CWE-89
5.5
2020-02-10 CVE-2013-1353 Cross-site Scripting vulnerability in Orangehrm 2.7.1
Orange HRM 2.7.1 allows XSS via the vacancy name.
network
orangehrm CWE-79
3.5
2019-06-15 CVE-2019-12839 OS Command Injection vulnerability in Orangehrm
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
network
low complexity
orangehrm CWE-78
6.5
2015-01-13 CVE-2014-100021 Cross-site Scripting vulnerability in Orangehrm
Cross-site scripting (XSS) vulnerability in symfony/web/index.php/pim/viewEmployeeList in OrangeHRM before 3.1.2 allows remote attackers to inject arbitrary web script or HTML via the empsearch[employee_name][empId] parameter.
network
orangehrm CWE-79
4.3
2014-09-17 CVE-2012-1507 Cross-Site Scripting vulnerability in Orangehrm
Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to plugins/ajaxCalls/haltResumeHsp.php, (2) sortOrder1 parameter to templates/hrfunct/emppop.php, or (3) uri parameter to index.php.
network
orangehrm CWE-79
4.3