📦 Orangehrm

OrangeHRM versions 5.0 through 5.7 contain a command injection vulnerability in the mail configuration workflow. Unauthenticated attackers can exploit this to write files to the server and potentially...

This vulnerability allows attackers to reset passwords for any user account in OrangeHRM, including administrative accounts, by exploiting a flaw in the password reset workflow. Attackers need access ...

OrangeHRM versions 5.0 through 5.7 fail to invalidate active user sessions when accounts are disabled or passwords are changed. This allows disabled users or attackers with compromised credentials to ...

A privilege escalation vulnerability in OrangeHRM v5.7 allows attackers to bypass authentication via PHP loose-equality comparisons if a specific MD5 hash exists in the credential store. This affects ...

This vulnerability allows any authenticated user in OrangeHRM to download candidate attachments (CVs, documents) without proper authorization checks. Users with only ESS-level access who shouldn't hav...

OrangeHRM versions 5.0 to 5.7 have an authorization bypass vulnerability in the Recruitment module's interview attachment endpoint. Authenticated ESS-level users without recruitment permissions can ac...