Vulnerabilities > Orangehrm
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2014-09-17 | CVE-2012-1507 | Cross-Site Scripting vulnerability in Orangehrm Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to plugins/ajaxCalls/haltResumeHsp.php, (2) sortOrder1 parameter to templates/hrfunct/emppop.php, or (3) uri parameter to index.php. | 4.3 |
| 2014-09-17 | CVE-2012-1506 | SQL Injection vulnerability in Orangehrm SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the hspSummaryId parameter to plugins/ajaxCalls/haltResumeHsp.php. | 6.5 |
| 2013-02-12 | CVE-2011-5259 | SQL Injection vulnerability in Orangehrm SQL injection vulnerability in lib/controllers/CentralController.php in OrangeHRM before 2.6.11.2 allows remote attackers to execute arbitrary SQL commands via the id parameter. | 6.8 |
| 2013-02-12 | CVE-2011-5258 | Cross-Site Scripting vulnerability in Orangehrm Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.6.11.2 allow remote attackers to inject arbitrary web script or HTML via the (1) uniqcode or (2) isAdmin parameter to index.php; or the (3) PATH_INFO to lib/controllers/centralcontroller.php. | 4.3 |
| 2012-12-03 | CVE-2012-5367 | SQL Injection vulnerability in Orangehrm 2.7.1 Multiple SQL injection vulnerabilities in OrangeHRM 2.7.1 RC 1 allow remote authenticated administrators to execute arbitrary SQL commands via the sortField parameter to (1) viewCustomers, (2) viewPayGrades, or (3) viewSystemUsers in symfony/web/index.php/admin/, as demonstrated using cross-site request forgery (CSRF) attacks. | 6.0 |
| 2011-09-24 | CVE-2011-3766 | Information Exposure vulnerability in Orangehrm 2.6.0.2 OrangeHRM 2.6.0.2 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by themes/orange/menu/Menu.php and certain other files. | 5.0 |
| 2011-04-27 | CVE-2010-4798 | Path Traversal vulnerability in Orangehrm 2.6.0.1 Directory traversal vulnerability in index.php in OrangeHRM 2.6.0.1 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the uri parameter. | 6.8 |
| 2007-11-10 | CVE-2007-5931 | Permissions, Privileges, and Access Controls vulnerability in Orangehrm The reDirect function in lib/controllers/RepViewController.php in OrangeHRM before 2.2.2 does not verify the privileges of a user, which allows remote attackers to obtain access to data via unspecified vectors. | 5.0 |
| 2007-03-02 | CVE-2007-1193 | Multiple Unspecified vulnerability in Orangehrm 2.1 Multiple unspecified vulnerabilities in the Login page in OrangeHRM before 20070212 have unknown impact and attack vectors. | 9.3 |