Orangehrm: >> Orangehrm >> 4.3.1 Security Vulnerabilities
SQL injection in the Buzz module of OrangeHRM through 4.6 allows remote authenticated attackers to execute arbitrary SQL commands via the orangehrmBuzzPlugin/lib/dao/BuzzDao.php loadMorePostsForm[profileUserId] parameter to the buzz/loadMoreProfile endpoint.
CVSS Score
8.1
EPSS Score
0.01
Published
2021-01-05
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
CVSS Score
8.8
EPSS Score
0.022
Published
2019-06-15