CVE-2025-66290

Name of the Vulnerable Software and Affected Versions OrangeHRM versions 5.0 through 5.7

Description OrangeHRM, a human resource management system, allows unauthorized access to candidate files through its recruitment attachment retrieval endpoint. The application does not properly enforce authorization checks before serving candidate files. Users with limited access privileges, specifically those with ESS-level access who are restricted from the Recruitment module, can still access candidate attachment URLs. When a request is made to the attachment endpoint, the system verifies the session but fails to confirm if the user has the necessary recruitment permissions. This allows any authenticated user to download CVs and other uploaded documents for any candidate by directly requesting them from the attachment endpoint, resulting in the exposure of sensitive applicant data. The vulnerable endpoint is the recruitment attachment retrieval endpoint. The issue is resolved in version 5.8.

Recommendations Versions prior to 5.8 are affected. Update to version 5.8 or later to address this issue.