Vulnerabilities > Orangehrm > Orangehrm > 3.1.1
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-01-05 | CVE-2020-29437 | SQL Injection vulnerability in Orangehrm SQL injection in the Buzz module of OrangeHRM through 4.6 allows remote authenticated attackers to execute arbitrary SQL commands via the orangehrmBuzzPlugin/lib/dao/BuzzDao.php loadMorePostsForm[profileUserId] parameter to the buzz/loadMoreProfile endpoint. | 5.5 |
| 2019-06-15 | CVE-2019-12839 | OS Command Injection vulnerability in Orangehrm In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution. | 6.5 |
| 2015-01-13 | CVE-2014-100021 | Cross-site Scripting vulnerability in Orangehrm Cross-site scripting (XSS) vulnerability in symfony/web/index.php/pim/viewEmployeeList in OrangeHRM before 3.1.2 allows remote attackers to inject arbitrary web script or HTML via the empsearch[employee_name][empId] parameter. | 4.3 |