CVE-2019-12839

2019-06-1519:27:41

mitre

www.cve.org

AI Score

8.9

Confidence

High

EPSS

0.001

Percentile

47.8%

JSON

In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.

References

ctrsec.io/index.php/2019/06/11/ace-orangehrm/

github.com/orangehrm/orangehrm/pull/528