SQL Injection Vulnerability in OrangeHRM Software
CVE-2012-1506

Currently unrated

Key Information:

Vendor: Orangehrm
Status: Orangehrm
Vendor: CVE Published:; 17 September 2014

What is CVE-2012-1506?

An SQL injection vulnerability exists in the updateStatus function within the OrangeHRM platform, particularly in the Hsp.php file. This flaw allows remote authenticated users to manipulate the hspSummaryId parameter when accessing plugins/ajaxCalls/haltResumeHsp.php, potentially enabling the execution of arbitrary SQL commands. This security issue can lead to unauthorized data access or modification, posing significant risks to the integrity and confidentiality of user data within the affected software versions.

References

http://www.securityfocus.com/bid/53433

vdb-entryx_refsource_BID

http://osvdb.org/81743

vdb-entryx_refsource_OSVDB

https://www.htbridge.com/advisory/HTB23080

x_refsource_MISC

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 17, 2014
Vulnerability Reserved
Mar 7, 2012

CVE-2012-1506 Data

JSON

Orangehrm

What is CVE-2012-1506?

References

Timeline