CVE-2022-28985

Name of the Vulnerable Software and Affected Versions OrangeHRM version v4.10.1

Description A stored cross-site scripting (XSS) issue in the addNewPost component allows attackers to execute arbitrary web scripts or HTML via a crafted POST request to the /api/v1/addNewPost endpoint, using vulnerable parameters such as post content. This enables attackers to inject malicious scripts, potentially leading to unauthorized access or data theft. No information is provided about the estimated number of potentially affected devices or real-world incidents.

Recommendations For OrangeHRM version v4.10.1, as a temporary workaround, consider disabling the addNewPost component until a patch is available. Restrict access to the vulnerable endpoint to minimize the risk of exploitation. Avoid using the post content parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.