Vulnerabilities > Orangehrm > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-05-20 | CVE-2022-28985 | Cross-site Scripting vulnerability in Orangehrm 4.10.1 A stored cross-site scripting (XSS) vulnerability in the addNewPost component of OrangeHRM v4.10.1 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request. | 5.4 |
| 2022-04-06 | CVE-2022-27107 | Cross-site Scripting vulnerability in Orangehrm 4.10 OrangeHRM 4.10 is vulnerable to Stored XSS in the "Share Video" section under "OrangeBuzz" via the GET/POST "createVideo[linkAddress]" parameter | 5.4 |
| 2022-04-06 | CVE-2022-27108 | Authorization Bypass Through User-Controlled Key vulnerability in Orangehrm 4.10 OrangeHRM 4.10 is vulnerable to Insecure Direct Object Reference (IDOR) via the end point symfony/web/index.php/time/createTimesheet`. | 4.3 |
| 2022-04-06 | CVE-2022-27109 | Open Redirect vulnerability in Orangehrm 4.10 OrangeHRM 4.10 suffers from a Referer header injection redirect vulnerability. | 5.4 |
| 2022-04-06 | CVE-2022-27110 | Open Redirect vulnerability in Orangehrm 4.10 OrangeHRM 4.10 is vulnerable to a Host header injection redirect via viewPersonalDetails endpoint. | 5.4 |
| 2021-04-26 | CVE-2021-28399 | Unspecified vulnerability in Orangehrm 4.7 OrangeHRM 4.7 allows an unauthenticated user to enumerate the valid username and email address via the forgot password function. | 5.3 |
| 2020-02-10 | CVE-2013-1353 | Cross-site Scripting vulnerability in Orangehrm 2.7.1 Orange HRM 2.7.1 allows XSS via the vacancy name. | 5.4 |