Orangehrm : Security Vulnerabilities, CVEs, CVSS score >= 7
SQL injection in the Buzz module of OrangeHRM through 4.6 allows remote authenticated attackers to execute arbitrary SQL commands via the orangehrmBuzzPlugin/lib/dao/BuzzDao.php loadMorePostsForm[profileUserId] parameter to the buzz/loadMoreProfile endpoint.
Max CVSS
8.1
EPSS Score
0.19%
Published
2021-01-05
Updated
2021-01-07
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
Max CVSS
8.8
EPSS Score
0.13%
Published
2019-06-15
Updated
2020-08-24
Multiple unspecified vulnerabilities in the Login page in OrangeHRM before 20070212 have unknown impact and attack vectors.
Max CVSS
9.3
EPSS Score
0.45%
Published
2007-03-02
Updated
2011-03-08
3 vulnerabilities found