Filtered by vendor Orangehrm
Subscribe
Total
26 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-27108 | 1 Orangehrm | 1 Orangehrm | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| OrangeHRM 4.10 is vulnerable to Insecure Direct Object Reference (IDOR) via the end point symfony/web/index.php/time/createTimesheet`. Any user can create a timesheet in another user's account. | |||||
| CVE-2022-27107 | 1 Orangehrm | 1 Orangehrm | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| OrangeHRM 4.10 is vulnerable to Stored XSS in the "Share Video" section under "OrangeBuzz" via the GET/POST "createVideo[linkAddress]" parameter | |||||
| CVE-2021-28399 | 1 Orangehrm | 1 Orangehrm | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| OrangeHRM 4.7 allows an unauthenticated user to enumerate the valid username and email address via the forgot password function. | |||||
| CVE-2020-29437 | 1 Orangehrm | 1 Orangehrm | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| SQL injection in the Buzz module of OrangeHRM through 4.6 allows remote authenticated attackers to execute arbitrary SQL commands via the orangehrmBuzzPlugin/lib/dao/BuzzDao.php loadMorePostsForm[profileUserId] parameter to the buzz/loadMoreProfile endpoint. | |||||
| CVE-2019-12839 | 1 Orangehrm | 1 Orangehrm | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution. | |||||
| CVE-2013-1353 | 1 Orangehrm | 1 Orangehrm | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Orange HRM 2.7.1 allows XSS via the vacancy name. | |||||