Orangehrm : Security Vulnerabilities, CVEs, CVSS score >= 7

CVE-2020-29437

SQL injection in the Buzz module of OrangeHRM through 4.6 allows remote authenticated attackers to execute arbitrary SQL commands via the orangehrmBuzzPlugin/lib/dao/BuzzDao.php loadMorePostsForm[profileUserId] parameter to the buzz/loadMoreProfile endpoint.
Max CVSS
8.1
EPSS Score
0.19%
Published
2021-01-05
Updated
2021-01-07

CVE-2019-12839

In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
Max CVSS
8.8
EPSS Score
0.13%
Published
2019-06-15
Updated
2020-08-24

CVE-2007-1193

Multiple unspecified vulnerabilities in the Login page in OrangeHRM before 20070212 have unknown impact and attack vectors.
Max CVSS
9.3
EPSS Score
0.45%
Published
2007-03-02
Updated
2011-03-08
3 vulnerabilities found
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!
Accept Close