Stored Cross-Site Scripting Vulnerability in OrangeHRM by OrangeHRM
CVE-2022-28985

6.3MEDIUM

Key Information:

Vendor: Orangehrm
Status: Orangehrm
Vendor: CVE Published:; 20 May 2022

What is CVE-2022-28985?

A stored cross-site scripting (XSS) vulnerability exists in the addNewPost component of OrangeHRM version 4.10.1. This security flaw can be exploited by attackers to execute arbitrary web scripts or HTML within the affected application, leading to potential data theft, session hijacking, or further malicious activity. Proper input validation and sanitization practices should be implemented to mitigate the risk of this vulnerability.

References

https://github.com/orangehrm/orangehrm/issues/1217

x_refsource_MISC

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2022
Vulnerability Reserved
Apr 11, 2022

CVE-2022-28985 Data

JSON

Orangehrm

What is CVE-2022-28985?

References

CVSS V3.1

Timeline