7.2

CVE-2025-44040

EPSS 0.4%
Veröffentlicht 21.05.2025 00:00:00
Zuletzt bearbeitet 13.10.2025 20:15:33
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

An issue in OrangeHRM v.5.7 allows an attacker to escalate privileges via UserService.php and the checkForOldHash function. Authentication decisions may be made via PHP loose-equality comparisons if a specific MD5 value is present in the credential store. NOTE: this is disputed by the Supplier because an adversary has no way to place the specific MD5 value into the credential store (unless they already have full privileges) and because the specific MD5 value would not realistically be present otherwise.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Orangehrm ≫ Orangehrm Version5.7

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.4%	0.32

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

https://github.com/orangehrm/orangehrm/releases/tag/v5.7

Release Notes

https://github.com/hexomedin3/advisories/tree/main/CVE-2025-44040

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-44040

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-44040

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-44040

EUVD