EUVD-2021-22597

Malware in sbrugna...

CVE-2021-35966

The specific function of the Orca HCM digital learning platform does not filter input parameters properly, which causing the URL can be redirected to any website. Remote attackers can use the vulnerability to execute phishing attacks...

CVE-2021-35967

The directory page parameter of the Orca HCM digital learning platform does not filter special characters. Remote attackers can access the system directory thru Path Traversal without logging in...

CVE-2021-35964

The management page of the Orca HCM digital learning platform does not perform identity verification, which allows remote attackers to execute the management function without logging in, access members’ information, modify and delete the courses in system, thus causing users fail to access the...

CVE-2021-35968

The directory list page parameter of the Orca HCM digital learning platform fails to filter special characters properly. Remote attackers can access the system directory thru Path Traversal with users’ privileges...

Design/Logic Flaw

The specific function of the Orca HCM digital learning platform does not filter input parameters properly, which causing the URL can be redirected to any website. Remote attackers can use the vulnerability to execute phishing attacks...

Path traversal

The directory list page parameter of the Orca HCM digital learning platform fails to filter special characters properly. Remote attackers can access the system directory thru Path Traversal with users’ privileges...

CVE-2021-35968

The CVE-2021-35968 entry concerns LearningDigital’s Orca HCM digital learning platform. Affected component: the directory listing page parameter. Root cause: improper filtering of special characters enables Path Traversal. Impact: remote attackers could access system directories under the user’s ...

CVE-2021-35967

The CVE-2021-35967 entry describes a Path Traversal vulnerability in the Orca HCM digital learning platform. The issue arises because the directory page parameter does not filter special characters, allowing remote attackers to access the system directory without authentication. The vulnerability...

CVE-2021-35965

CVE-2021-35965 affects the Orca HCM digital learning platform. The vulnerability arises from a hard-coded, weak factory-default administrator password embedded in the webpage source, enabling remote attackers to gain administrator privileges without authentication. NVD specifies CVSSv3.1 base sco...

CVE-2021-35964

CVE-2021-35964 affects the Orca HCM digital learning platform. The admin/management page does not perform identity verification, enabling remote attackers to perform management functions without logging in. This can lead to access to members’ information and the ability to modify or delete course...

CVE-2021-35963

The CVE-2021-35963 entry concerns Orca HCM from LearningDigital.com. A parameter in the platform’s upload function does not filter file formats, enabling remote unauthenticated attackers to upload files containing malicious scripts and execute RCE. This is supported by multiple sources (NVD entry...