7.2

CVE-2025-44040

EPSS 0.1%
Veröffentlicht 21.05.2025 00:00:00
Zuletzt bearbeitet 13.10.2025 20:15:33
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

An issue in OrangeHRM v.5.7 allows an attacker to escalate privileges via UserService.php and the checkForOldHash function. Authentication decisions may be made via PHP loose-equality comparisons if a specific MD5 value is present in the credential store. NOTE: this is disputed by the Supplier because an adversary has no way to place the specific MD5 value into the credential store (unless they already have full privileges) and because the specific MD5 value would not realistically be present otherwise.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Orangehrm ≫ Orangehrm Version5.7

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.1%	0.273

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

https://github.com/orangehrm/orangehrm/releases/tag/v5.7

Release Notes

https://github.com/hexomedin3/advisories/tree/main/CVE-2025-44040

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-44040

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-44040

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-44040

EUVD