Filtered by vendor Orangehrm
Subscriptions
Filtered by product Orangehrm
Subscriptions
Total
31 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2010-4798 | 1 Orangehrm | 1 Orangehrm | 2025-04-11 | N/A |
| Directory traversal vulnerability in index.php in OrangeHRM 2.6.0.1 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the uri parameter. | ||||
| CVE-2012-5367 | 1 Orangehrm | 1 Orangehrm | 2025-04-11 | N/A |
| Multiple SQL injection vulnerabilities in OrangeHRM 2.7.1 RC 1 allow remote authenticated administrators to execute arbitrary SQL commands via the sortField parameter to (1) viewCustomers, (2) viewPayGrades, or (3) viewSystemUsers in symfony/web/index.php/admin/, as demonstrated using cross-site request forgery (CSRF) attacks. | ||||
| CVE-2022-28985 | 1 Orangehrm | 1 Orangehrm | 2024-11-21 | 6.3 Medium |
| A stored cross-site scripting (XSS) vulnerability in the addNewPost component of OrangeHRM v4.10.1 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request. | ||||
| CVE-2022-27110 | 1 Orangehrm | 1 Orangehrm | 2024-11-21 | 5.4 Medium |
| OrangeHRM 4.10 is vulnerable to a Host header injection redirect via viewPersonalDetails endpoint. | ||||
| CVE-2022-27109 | 1 Orangehrm | 1 Orangehrm | 2024-11-21 | 5.4 Medium |
| OrangeHRM 4.10 suffers from a Referer header injection redirect vulnerability. | ||||
| CVE-2022-27108 | 1 Orangehrm | 1 Orangehrm | 2024-11-21 | 4.3 Medium |
| OrangeHRM 4.10 is vulnerable to Insecure Direct Object Reference (IDOR) via the end point symfony/web/index.php/time/createTimesheet`. Any user can create a timesheet in another user's account. | ||||
| CVE-2022-27107 | 1 Orangehrm | 1 Orangehrm | 2024-11-21 | 5.4 Medium |
| OrangeHRM 4.10 is vulnerable to Stored XSS in the "Share Video" section under "OrangeBuzz" via the GET/POST "createVideo[linkAddress]" parameter | ||||
| CVE-2021-28399 | 1 Orangehrm | 1 Orangehrm | 2024-11-21 | 5.3 Medium |
| OrangeHRM 4.7 allows an unauthenticated user to enumerate the valid username and email address via the forgot password function. | ||||
| CVE-2020-29437 | 1 Orangehrm | 1 Orangehrm | 2024-11-21 | 8.1 High |
| SQL injection in the Buzz module of OrangeHRM through 4.6 allows remote authenticated attackers to execute arbitrary SQL commands via the orangehrmBuzzPlugin/lib/dao/BuzzDao.php loadMorePostsForm[profileUserId] parameter to the buzz/loadMoreProfile endpoint. | ||||
| CVE-2019-12839 | 1 Orangehrm | 1 Orangehrm | 2024-11-21 | N/A |
| In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution. | ||||
| CVE-2013-1353 | 1 Orangehrm | 1 Orangehrm | 2024-11-21 | 5.4 Medium |
| Orange HRM 2.7.1 allows XSS via the vacancy name. | ||||