Zerodaywolf

#12972of 53,633
20.5Total CVSS
Vulnerabilities · 4
Medium
4
PT-2022-18224
5.4
2022-04-06
Orangehrm · Orangehrm · CVE-2022-27107
**Name of the Vulnerable Software and Affected Versions** OrangeHRM version 4.10 **Description** The issue concerns a Stored XSS vulnerability in the "Share Video" section under "OrangeBuzz". This vulnerability can be exploited via the `createVideo[linkAddress]` parameter using GET or POST requests. **Recommendations** For OrangeHRM version 4.10, as a temporary workaround, consider restricting access to the "Share Video" section under "OrangeBuzz" until a patch is available. Avoid using the `createVideo[linkAddress]` parameter in the affected section to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
PT-2022-18225
4.3
2022-04-06
Orangehrm · Orangehrm · CVE-2022-27108
**Name of the Vulnerable Software and Affected Versions** OrangeHRM version 4.10 **Description** The issue allows any user to create a timesheet in another user's account due to an Insecure Direct Object Reference (IDOR) via the endpoint "symfony/web/index.php/time/createTimesheet". **Recommendations** For OrangeHRM version 4.10, as a temporary workaround, consider restricting access to the "symfony/web/index.php/time/createTimesheet" endpoint to prevent unauthorized timesheet creation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
PT-2022-18226
5.4
2022-04-06
Orangehrm · Orangehrm · CVE-2022-27109
**Name of the Vulnerable Software and Affected Versions** OrangeHRM version 4.10 **Description** The issue is related to a Referer header injection redirect. No information is provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** For OrangeHRM version 4.10, at the moment, there is no information about a newer version that contains a fix for this vulnerability.
PT-2022-18228
5.4
2022-04-06
Orangehrm · Orangehrm · CVE-2022-27110
**Name of the Vulnerable Software and Affected Versions** OrangeHRM version 4.10 **Description** The issue concerns a Host header injection redirect via the "viewPersonalDetails" endpoint. This allows for potential redirection attacks. **Recommendations** For OrangeHRM version 4.10, as a temporary workaround, consider restricting access to the "viewPersonalDetails" endpoint until a patch is available.