Vulnerabilities > Orangehrm > Orangehrm > 4.10

DATE CVE VULNERABILITY TITLE RISK
2022-04-06 CVE-2022-27107 Cross-site Scripting vulnerability in Orangehrm 4.10
OrangeHRM 4.10 is vulnerable to Stored XSS in the "Share Video" section under "OrangeBuzz" via the GET/POST "createVideo[linkAddress]" parameter
network
orangehrm CWE-79
3.5
3.5
2022-04-06 CVE-2022-27108 Authorization Bypass Through User-Controlled Key vulnerability in Orangehrm 4.10
OrangeHRM 4.10 is vulnerable to Insecure Direct Object Reference (IDOR) via the end point symfony/web/index.php/time/createTimesheet`.
network
low complexity
orangehrm CWE-639
4.0
4.0
2022-04-06 CVE-2022-27109 Open Redirect vulnerability in Orangehrm 4.10
OrangeHRM 4.10 suffers from a Referer header injection redirect vulnerability.
network
orangehrm CWE-601
4.9
4.9
2022-04-06 CVE-2022-27110 Open Redirect vulnerability in Orangehrm 4.10
OrangeHRM 4.10 is vulnerable to a Host header injection redirect via viewPersonalDetails endpoint.
network
orangehrm CWE-601
4.9
4.9