OrangeHRM 2.5.0.4 Multiple Vulnerabilities
BID:40044
Info
OrangeHRM 2.5.0.4 Multiple Vulnerabilities
| Bugtraq ID: | 40044 |
| Class: | Unknown |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | May 10 2010 12:00AM |
| Updated: | May 10 2010 12:00AM |
| Credit: | Tamas Czigany and Laszlo Klock |
| Vulnerable: |
OrangeHRM OrangeHRM 2.5 .4 |
| Not Vulnerable: | |
Discussion
OrangeHRM 2.5.0.4 Multiple Vulnerabilities
OrangeHRM is prone to multiple vulnerabilities, including multiple HTML-injection issues, multiple cross-site scripting issues, multiple SQL-injection issues, a remote code-injection issue, and multiple security-bypass issues.
Attackers can exploit these issues to gain administrative access to the affected application, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, compromise the application, execute arbitrary PHP code within the context of the affected application, access or modify data, or exploit latent vulnerabilities in the underlying database. Other attacks may also be possible.
OrangeHRM 2.5.0.4 is vulnerable; other versions may also be affected.
OrangeHRM is prone to multiple vulnerabilities, including multiple HTML-injection issues, multiple cross-site scripting issues, multiple SQL-injection issues, a remote code-injection issue, and multiple security-bypass issues.
Attackers can exploit these issues to gain administrative access to the affected application, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, compromise the application, execute arbitrary PHP code within the context of the affected application, access or modify data, or exploit latent vulnerabilities in the underlying database. Other attacks may also be possible.
OrangeHRM 2.5.0.4 is vulnerable; other versions may also be affected.
Exploit / POC
OrangeHRM 2.5.0.4 Multiple Vulnerabilities
Attackers can use a browser to exploit these issues. To exploit a cross-site scripting issue, the attacker must entice an unsuspecting user to follow a malicious URI.
Attackers can use a browser to exploit these issues. To exploit a cross-site scripting issue, the attacker must entice an unsuspecting user to follow a malicious URI.
Solution / Fix
OrangeHRM 2.5.0.4 Multiple Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
References
OrangeHRM 2.5.0.4 Multiple Vulnerabilities
References:
References:
- OrangeHRM Homepage (OrangeHRM)
- SA00001-2010 (Zakar Miklos
)