Vulnerabilities > Orangehrm > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2013-02-12 | CVE-2011-5258 | Cross-Site Scripting vulnerability in Orangehrm Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.6.11.2 allow remote attackers to inject arbitrary web script or HTML via the (1) uniqcode or (2) isAdmin parameter to index.php; or the (3) PATH_INFO to lib/controllers/centralcontroller.php. | 4.3 |
| 2012-12-03 | CVE-2012-5367 | SQL Injection vulnerability in Orangehrm 2.7.1 Multiple SQL injection vulnerabilities in OrangeHRM 2.7.1 RC 1 allow remote authenticated administrators to execute arbitrary SQL commands via the sortField parameter to (1) viewCustomers, (2) viewPayGrades, or (3) viewSystemUsers in symfony/web/index.php/admin/, as demonstrated using cross-site request forgery (CSRF) attacks. | 6.0 |
| 2011-09-24 | CVE-2011-3766 | Information Exposure vulnerability in Orangehrm 2.6.0.2 OrangeHRM 2.6.0.2 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by themes/orange/menu/Menu.php and certain other files. | 5.0 |
| 2011-04-27 | CVE-2010-4798 | Path Traversal vulnerability in Orangehrm 2.6.0.1 Directory traversal vulnerability in index.php in OrangeHRM 2.6.0.1 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the uri parameter. | 6.8 |
| 2007-11-10 | CVE-2007-5931 | Permissions, Privileges, and Access Controls vulnerability in Orangehrm The reDirect function in lib/controllers/RepViewController.php in OrangeHRM before 2.2.2 does not verify the privileges of a user, which allows remote attackers to obtain access to data via unspecified vectors. | 5.0 |