Orangehrm: >> Orangehrm >> 2.7.1 Security Vulnerabilities
SQL injection in the Buzz module of OrangeHRM through 4.6 allows remote authenticated attackers to execute arbitrary SQL commands via the orangehrmBuzzPlugin/lib/dao/BuzzDao.php loadMorePostsForm[profileUserId] parameter to the buzz/loadMoreProfile endpoint.
CVSS Score
8.1
EPSS Score
0.01
Published
2021-01-05
Orange HRM 2.7.1 allows XSS via the vacancy name.
CVSS Score
5.4
EPSS Score
0.002
Published
2020-02-10
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
CVSS Score
8.8
EPSS Score
0.022
Published
2019-06-15
Cross-site scripting (XSS) vulnerability in symfony/web/index.php/pim/viewEmployeeList in OrangeHRM before 3.1.2 allows remote attackers to inject arbitrary web script or HTML via the empsearch[employee_name][empId] parameter.
CVSS Score
4.3
EPSS Score
0.003
Published
2015-01-13
Multiple SQL injection vulnerabilities in OrangeHRM 2.7.1 RC 1 allow remote authenticated administrators to execute arbitrary SQL commands via the sortField parameter to (1) viewCustomers, (2) viewPayGrades, or (3) viewSystemUsers in symfony/web/index.php/admin/, as demonstrated using cross-site request forgery (CSRF) attacks.
CVSS Score
6.0
EPSS Score
0.012
Published
2012-12-03