Vulnerabilities > Orangehrm > Orangehrm > 2.7.1
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-01-05 | CVE-2020-29437 | SQL Injection vulnerability in Orangehrm SQL injection in the Buzz module of OrangeHRM through 4.6 allows remote authenticated attackers to execute arbitrary SQL commands via the orangehrmBuzzPlugin/lib/dao/BuzzDao.php loadMorePostsForm[profileUserId] parameter to the buzz/loadMoreProfile endpoint. | 5.5 |
| 2020-02-10 | CVE-2013-1353 | Cross-site Scripting vulnerability in Orangehrm 2.7.1 Orange HRM 2.7.1 allows XSS via the vacancy name. | 3.5 |
| 2019-06-15 | CVE-2019-12839 | OS Command Injection vulnerability in Orangehrm In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution. | 6.5 |
| 2015-01-13 | CVE-2014-100021 | Cross-site Scripting vulnerability in Orangehrm Cross-site scripting (XSS) vulnerability in symfony/web/index.php/pim/viewEmployeeList in OrangeHRM before 3.1.2 allows remote attackers to inject arbitrary web script or HTML via the empsearch[employee_name][empId] parameter. | 4.3 |
| 2012-12-03 | CVE-2012-5367 | SQL Injection vulnerability in Orangehrm 2.7.1 Multiple SQL injection vulnerabilities in OrangeHRM 2.7.1 RC 1 allow remote authenticated administrators to execute arbitrary SQL commands via the sortField parameter to (1) viewCustomers, (2) viewPayGrades, or (3) viewSystemUsers in symfony/web/index.php/admin/, as demonstrated using cross-site request forgery (CSRF) attacks. | 6.0 |