CVE-2025-66291

Name of the Vulnerable Software and Affected Versions OrangeHRM versions 5.0 through 5.7

Description OrangeHRM, a human resource management system, has an issue in the Recruitment module where interview attachments can be accessed without proper authorization. The issue affects versions 5.0 through 5.7. The interview attachment retrieval endpoint does not verify if the user requesting the file has permission to access the associated interview record. An ESS-level user, lacking access to recruitment workflows, can request interview attachment URLs and retrieve confidential documents such as candidate CVs and evaluations. This is due to the system relying on predictable object identifiers and session presence instead of validating the user’s association with the recruitment process. The issue is addressed in version 5.8. The API endpoint involved is the interview attachment retrieval endpoint within the Recruitment module. The vulnerability stems from a lack of authorization checks before serving files based on user-supplied identifiers, specifically the attachment ID (attachment id).

Recommendations Versions 5.0 through 5.7 should be updated to version 5.8 or later to resolve this issue.