CVE-2019-18626

Affected product: Harris Ormed Self Service, prior to 2019.1.4. Vulnerability core: authenticated users can supply an arbitrary empNo to the URI RetrieveW2EntriesForEmployee under ORMEDMIS/Data/PY/T4W2Service.svc/ RetrieveW2EntriesForEmployee, leading to disclosure of W-2 forms and sensitive data...