OrangeHRM 2.7.1 -- the latest stable release as of this writing -- suffers from a persistent XSS in the vacancy name variable. Steps:
Navigate to following URL: http://[domain]/symfony/web/index.php/recruitment/viewJobVacancy
Add or Edit a Vacancy
Screen shots of above exploit steps may be found on my website (for those who want additional validation): http://securitymaverick.com/?p=408
I contacted OrangeHRM but did not receive a reply.
PS -Currently on twitter: https://twitter.com/infosecmaverick
 http://sourceforge.net/projects/orangehrm/  http://sourceforge.net/projects/orangehrm/files/stable/2.7.1/  http://www.orangehrm.com/