Orangehrm

Orangehrm

31 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
2.7

CVE-2026-39349

  • EPSS 0.01%
  • Veröffentlicht 07.04.2026 18:22:38
  • Zuletzt bearbeitet 10.04.2026 19:32:40

OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source encrypts certain sensitive fields with AES in ECB mode, which preserves block-aligned plaintext patterns in ciphertext and enables pattern dis...

4.3

CVE-2026-39348

  • EPSS 0.03%
  • Veröffentlicht 07.04.2026 18:21:29
  • Zuletzt bearbeitet 10.04.2026 19:33:25

OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source omits authorization on job specification and vacancy attachment download handlers, allowing authenticated low-privilege users to read attachme...

2.7

CVE-2026-39347

  • EPSS 0.04%
  • Veröffentlicht 07.04.2026 18:20:35
  • Zuletzt bearbeitet 09.04.2026 18:25:04

OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source accepts changes to self-appraisal submissions for administrator users after those submissions have been marked completed, breaking integrity o...

5.4

CVE-2026-39346

  • EPSS 0.04%
  • Veröffentlicht 07.04.2026 18:19:24
  • Zuletzt bearbeitet 09.04.2026 18:24:18

OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source allowed authenticated users to bypass disabled-module access controls via URL-encoded request paths and access functionality of modules disabl...

4.9

CVE-2026-39345

  • EPSS 0.04%
  • Veröffentlicht 07.04.2026 18:17:35
  • Zuletzt bearbeitet 09.04.2026 16:29:49

OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source fails to restrict email template file resolution to the intended plugins directory, allowing an authenticated actor who can influence the temp...

4.3

CVE-2025-66291

  • EPSS 0.05%
  • Veröffentlicht 29.11.2025 03:08:00
  • Zuletzt bearbeitet 03.12.2025 16:30:13

OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the interview attachment retrieval endpoint in the Recruitment module serves files based solely on an authenticated session and user-supplied identifiers, w...

4.3

CVE-2025-66290

  • EPSS 0.04%
  • Veröffentlicht 29.11.2025 03:06:56
  • Zuletzt bearbeitet 03.12.2025 16:46:12

OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application’s recruitment attachment retrieval endpoint does not enforce the required authorization checks before serving candidate files. Even users re...

8.8

CVE-2025-66289

  • EPSS 0.08%
  • Veröffentlicht 29.11.2025 03:06:25
  • Zuletzt bearbeitet 03.12.2025 16:47:32

OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application does not invalidate existing sessions when a user is disabled or when a password change occurs, allowing active session cookies to remain va...

8.8

CVE-2025-66225

  • EPSS 0.06%
  • Veröffentlicht 29.11.2025 03:05:46
  • Zuletzt bearbeitet 03.12.2025 16:51:00

OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the password reset workflow does not enforce that the username submitted in the final reset request matches the account for which the reset process was orig...

8.8

CVE-2025-66224

  • EPSS 0.14%
  • Veröffentlicht 29.11.2025 03:04:42
  • Zuletzt bearbeitet 03.12.2025 16:55:22

OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application contains an input-neutralization flaw in its mail configuration and delivery workflow that allows user-controlled values to flow directly in...