#VU41334 Cross-site scripting in Orange Human Resource Management - CVE-2012-1507
Vulnerability identifier: #VU41334
Vulnerability risk: Low
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2012-1507
CWE-ID:
CWE-79
Exploitation vector: Network
Exploit availability: Yes
Vulnerable software:
Orange Human Resource Management
Server applications /
Other server solutions
Vendor: OrangeHRM Inc.
Description
Vulnerability allows a remote attacker to perform Cross-site scripting attacks.
An input validation error exists in OrangeHRM before 2.7 when processing the (1) newHspStatus parameter to plugins/ajaxCalls/haltResumeHsp.php, (2) sortOrder1 parameter to templates/hrfunct/emppop.php, or (3) uri parameter to index.php. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versions
Orange Human Resource Management: 2.6 - 2.6.12
External links
https://blog.orangehrm.com/2012/04/24/orangehrm-27-stable-release-with-complete-localization/
https://osvdb.org/81744
https://osvdb.org/81745
https://osvdb.org/81746
https://secunia.com/advisories/49072
https://www.securityfocus.com/bid/53433
https://exchange.xforce.ibmcloud.com/vulnerabilities/75473
https://www.htbridge.com/advisory/HTB23080
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
