CVE-2012-5367

OrangeHRM 2.7.1 RC 1 contains SQL injection in the /symfony/web/index.php/admin/ endpoints (viewCustomers, viewPayGrades, viewSystemUsers) triggered by the sortField parameter. The vulnerability is exploitable via CSRF and can allow an attacker to alter database queries; HTB’s advisory notes that...

OrangeHRM 2.7.1-rc.1 Cross Site Request Forgery / SQL Injection

Advisory ID: HTB23119 Product: OrangeHRM Vendor: OrangeHRM Inc. Vulnerable Versions: 2.7.1-rc.1 and probably prior Tested Version: 2.7.1-rc.1 Vendor Notification: October 10, 2012 Public Disclosure: October 31, 2012 Vulnerability Type: SQL Injection CWE-89 CVE Reference: CVE-2012-5367 CVSSv2 Base...

OrangeHRM 2.7.1-rc.1 Cross Site Request Forgery / SQL Injection Vulnerabilities

OrangeHRM version 2.7.1-rc.1 suffers from cross site request forgery and remote SQL injection vulnerabilities. Product: OrangeHRM Vendor: OrangeHRM Inc. Vulnerable Versions: 2.7.1-rc.1 and probably prior Tested Version: 2.7.1-rc.1 Vendor Notification: October 10, 2012 Public Disclosure: October 3...

SQL Injection Vulnerability in OrangeHRM

Advisory ID: HTB23119 Product: OrangeHRM Vendor: OrangeHRM Inc. Vulnerable Versions: 2.7.1-rc.1 and probably prior Tested Version: 2.7.1-rc.1 Vendor Notification: October 10, 2012 Public Disclosure: October 31, 2012 Vulnerability Type: SQL Injection CWE-89 CVE Reference: CVE-2012-5367 CVSSv2 Base...