CVE-2025-66289

Name of the Vulnerable Software and Affected Versions OrangeHRM versions 5.0 through 5.7

Description OrangeHRM does not invalidate existing sessions when a user is disabled or a password change occurs, allowing active session cookies to remain valid indefinitely. This allows a disabled user, or an attacker using a compromised account, to continue accessing protected pages and perform operations. The server does not perform session revocation or session-store cleanup during critical state changes, meaning disabling an account or updating credentials has no effect on established sessions. This makes administrative disable actions ineffective and allows unauthorized users to retain full access even after an account is closed or a password is reset, exposing the system to prolonged unauthorized use and increasing the impact of account takeover scenarios.

Recommendations Update to version 5.8 or later.