Orangehrm : Security Vulnerabilities, CVEs, (Sql injection)
SQL injection in the Buzz module of OrangeHRM through 4.6 allows remote authenticated attackers to execute arbitrary SQL commands via the orangehrmBuzzPlugin/lib/dao/BuzzDao.php loadMorePostsForm[profileUserId] parameter to the buzz/loadMoreProfile endpoint.
Max CVSS
8.1
EPSS Score
0.19%
Published
2021-01-05
Updated
2021-01-07
Multiple SQL injection vulnerabilities in OrangeHRM 2.7.1 RC 1 allow remote authenticated administrators to execute arbitrary SQL commands via the sortField parameter to (1) viewCustomers, (2) viewPayGrades, or (3) viewSystemUsers in symfony/web/index.php/admin/, as demonstrated using cross-site request forgery (CSRF) attacks.
Max CVSS
6.0
EPSS Score
0.09%
Published
2012-12-03
Updated
2017-08-29
SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the hspSummaryId parameter to plugins/ajaxCalls/haltResumeHsp.php. NOTE: some of these details are obtained from third party information.
Max CVSS
6.5
EPSS Score
0.14%
Published
2014-09-17
Updated
2017-08-29
SQL injection vulnerability in lib/controllers/CentralController.php in OrangeHRM before 2.6.11.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.
Max CVSS
6.8
EPSS Score
0.52%
Published
2013-02-12
Updated
2018-10-09
4 vulnerabilities found