Shodan
Vulnerabilities
Vulnerable Software
Orangehrm:  >> Orangehrm  Security Vulnerabilities
CVE-2025-44040
An issue in OrangeHRM v.5.7 allows an attacker to escalate privileges via UserService.php and the checkForOldHash function. Authentication decisions may be made via PHP loose-equality comparisons if a specific MD5 value is present in the credential store. NOTE: this is disputed by the Supplier because an adversary has no way to place the specific MD5 value into the credential store (unless they already have full privileges) and because the specific MD5 value would not realistically be present otherwise.
CVSS Score
7.2
EPSS Score
0.001
Published
2025-05-21
CVE-2024-36428
OrangeHRM 3.3.3 allows admin/viewProjects sortOrder SQL injection.
CVSS Score
8.1
EPSS Score
0.771
Published
2024-05-27
CVE-2022-28985
A stored cross-site scripting (XSS) vulnerability in the addNewPost component of OrangeHRM v4.10.1 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request.
CVSS Score
6.3
EPSS Score
0.002
Published
2022-05-20
CVE-2022-27107
OrangeHRM 4.10 is vulnerable to Stored XSS in the "Share Video" section under "OrangeBuzz" via the GET/POST "createVideo[linkAddress]" parameter
CVSS Score
5.4
EPSS Score
0.002
Published
2022-04-06
CVE-2022-27108
OrangeHRM 4.10 is vulnerable to Insecure Direct Object Reference (IDOR) via the end point symfony/web/index.php/time/createTimesheet`. Any user can create a timesheet in another user's account.
CVSS Score
4.3
EPSS Score
0.001
Published
2022-04-06
CVE-2022-27109
OrangeHRM 4.10 suffers from a Referer header injection redirect vulnerability.
CVSS Score
5.4
EPSS Score
0.001
Published
2022-04-06
CVE-2022-27110
OrangeHRM 4.10 is vulnerable to a Host header injection redirect via viewPersonalDetails endpoint.
CVSS Score
5.4
EPSS Score
0.001
Published
2022-04-06
CVE-2021-28399
OrangeHRM 4.7 allows an unauthenticated user to enumerate the valid username and email address via the forgot password function.
CVSS Score
5.3
EPSS Score
0.007
Published
2021-04-26
CVE-2020-29437
SQL injection in the Buzz module of OrangeHRM through 4.6 allows remote authenticated attackers to execute arbitrary SQL commands via the orangehrmBuzzPlugin/lib/dao/BuzzDao.php loadMorePostsForm[profileUserId] parameter to the buzz/loadMoreProfile endpoint.
CVSS Score
8.1
EPSS Score
0.013
Published
2021-01-05
CVE-2013-1353
Orange HRM 2.7.1 allows XSS via the vacancy name.
CVSS Score
5.4
EPSS Score
0.002
Published
2020-02-10


Products
Pricing
Contact Us

Shodan ® - All rights reserved