CVE-2022-27108

Name of the Vulnerable Software and Affected Versions OrangeHRM version 4.10

Description The issue allows any user to create a timesheet in another user's account due to an Insecure Direct Object Reference (IDOR) via the endpoint "symfony/web/index.php/time/createTimesheet".

Recommendations For OrangeHRM version 4.10, as a temporary workaround, consider restricting access to the "symfony/web/index.php/time/createTimesheet" endpoint to prevent unauthorized timesheet creation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.