OrangeHRM Multiple Cross Site Scripting and SQL Injection Vulnerabilities

Bugtraq ID:	50857
Class:	Input Validation Error
CVE:	CVE-2011-5258 CVE-2011-5259
Remote:	Yes
Local:	No
Published:	Nov 30 2011 12:00AM
Updated:	Feb 14 2013 12:21PM
Credit:	High-Tech Bridge SA Security Research Lab
Vulnerable:	OrangeHRM OrangeHRM 2.6.11 OrangeHRM OrangeHRM 2.6.3 OrangeHRM OrangeHRM 2.6.2 OrangeHRM OrangeHRM 2.6 1 OrangeHRM OrangeHRM 2.5 .4 OrangeHRM OrangeHRM 2.4.2 OrangeHRM OrangeHRM 2.4.1 OrangeHRM OrangeHRM 2.2.2 OrangeHRM OrangeHRM 2.2.1 OrangeHRM OrangeHRM 2.4 OrangeHRM OrangeHRM 2.2 OrangeHRM OrangeHRM 2.1 (alpha 5) OrangeHRM OrangeHRM 2.1 (alpha 4) OrangeHRM OrangeHRM 2.1
Not Vulnerable:	OrangeHRM OrangeHRM 2.6.11.2

OrangeHRM Multiple Cross Site Scripting and SQL Injection Vulnerabilities

OrangeHRM is prone to an SQL-injection and multiple cross-site scripting vulnerabilities.

Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

OrangeHRM 2.6.11 is vulnerable; prior versions may also be affected.

OrangeHRM Multiple Cross Site Scripting and SQL Injection Vulnerabilities

Attackers can exploit these issues by enticing an unsuspecting user to follow a malicious URI.

The following example URIs are available:

• /data/vulnerabilities/exploits/50857.txt

OrangeHRM Multiple Cross Site Scripting and SQL Injection Vulnerabilities

Solution:
Updates are available. Please see the references for details.

OrangeHRM Multiple Cross Site Scripting and SQL Injection Vulnerabilities

References:

• OrangeHRM Homepage (OrangeHRM)
  
• Multiple vulnerabilities in OrangeHRM ([email protected])
  
• Multiple vulnerabilities in OrangeHRM (High-Tech Bridge SA Security Research Lab)