Filtered by vendor Orangehrm
Subscriptions
Filtered by product Orangehrm
Subscriptions
Total
26 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-27108 | 1 Orangehrm | 1 Orangehrm | 2024-11-21 | 4.3 Medium |
| OrangeHRM 4.10 is vulnerable to Insecure Direct Object Reference (IDOR) via the end point symfony/web/index.php/time/createTimesheet`. Any user can create a timesheet in another user's account. | ||||
| CVE-2022-27107 | 1 Orangehrm | 1 Orangehrm | 2024-11-21 | 5.4 Medium |
| OrangeHRM 4.10 is vulnerable to Stored XSS in the "Share Video" section under "OrangeBuzz" via the GET/POST "createVideo[linkAddress]" parameter | ||||
| CVE-2021-28399 | 1 Orangehrm | 1 Orangehrm | 2024-11-21 | 5.3 Medium |
| OrangeHRM 4.7 allows an unauthenticated user to enumerate the valid username and email address via the forgot password function. | ||||
| CVE-2020-29437 | 1 Orangehrm | 1 Orangehrm | 2024-11-21 | 8.1 High |
| SQL injection in the Buzz module of OrangeHRM through 4.6 allows remote authenticated attackers to execute arbitrary SQL commands via the orangehrmBuzzPlugin/lib/dao/BuzzDao.php loadMorePostsForm[profileUserId] parameter to the buzz/loadMoreProfile endpoint. | ||||
| CVE-2019-12839 | 1 Orangehrm | 1 Orangehrm | 2024-11-21 | N/A |
| In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution. | ||||
| CVE-2013-1353 | 1 Orangehrm | 1 Orangehrm | 2024-11-21 | 5.4 Medium |
| Orange HRM 2.7.1 allows XSS via the vacancy name. | ||||