OrangeHRM SQL Injection and Cross-Site Scripting Vulnerabilities

vendor:

OrangeHRM

by:

7.5

CVSS

HIGH

SQL Injection and Cross-Site Scripting

CWE

Product Name: OrangeHRM

Affected Version From: 2.6.11

Affected Version To: Prior versions may also be affected

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

OrangeHRM SQL Injection and Cross-Site Scripting Vulnerabilities

The vulnerabilities in OrangeHRM could allow an attacker to steal authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Mitigation:

Apply patches and updates provided by the vendor. Implement input validation and output encoding to prevent SQL injection and XSS attacks. Regularly monitor and test the application for vulnerabilities.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/50857/info

OrangeHRM is prone to an SQL-injection and multiple cross-site scripting vulnerabilities.

Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

OrangeHRM 2.6.11 is vulnerable; prior versions may also be affected. 

http://www.example.com/index.php?menu_no_top=eim&uniqcode=%22%3E%3C/iframe%3E%3Cscript%3Ealert%28123%29;% 3C/script%3E

http://www.example.com/index.php?menu_no_top=eim&uniqcode=USR&isAdmin=%22%3E%3C/iframe%3E%3Cscript%3E alert%28123%29;%3C/script%3E