OrangeHRM 3.3.3 vulnerable to SQL injection
CVE-2024-36428

8.1HIGH

Key Information:

Vendor: OrangeHRM
Status: Orangehrm
Vendor: CVE Published:; 27 May 2024

What is CVE-2024-36428?

OrangeHRM version 3.3.3 is susceptible to an SQL injection vulnerability that arises from improper handling of the sortOrder parameter in the admin/viewProjects interface. This security flaw can potentially allow an attacker to manipulate SQL queries, leading to unauthorized access and retrieval of sensitive data from the underlying database. Organizations using this version of OrangeHRM should take proactive measures to secure their systems and patch the vulnerability to prevent exploitation.

References

https://github.com/4rdr/proofs/blob/main/info/OrangeHRM_3...

https://sourceforge.net/projects/orangehrm/files/stable/3...

EPSS Score

77% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2024

CVE-2024-36428 Data

JSON