CVE-2012-1507

Published: Sep 17, 2014Modified: May 6, 2026

4.3

Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability: 8.6 / Impact: 2.9

Source: NVD

Description

Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to plugins/ajaxCalls/haltResumeHsp.php, (2) sortOrder1 parameter to templates/hrfunct/emppop.php, or (3) uri parameter to index.php.

Affected (19)

Products: Orangehrm: Orangehrm

1 product

Configuration A

19 vulnerable

Vulnerable Software	Affected Versions
Orangehrm Orangehrm	Up to 2.6.12.1
Orangehrm Orangehrm	Version 2.6.0.1
Orangehrm Orangehrm	Version 2.6.0
Orangehrm Orangehrm	Version 2.6.10
Orangehrm Orangehrm	Version 2.6.11.2
Orangehrm Orangehrm	Version 2.6.11.3
Orangehrm Orangehrm	Version 2.6.11
Orangehrm Orangehrm	Version 2.6.12
Orangehrm Orangehrm	Version 2.6.1
Orangehrm Orangehrm	Version 2.6.2
Orangehrm Orangehrm	Version 2.6.3
Orangehrm Orangehrm	Version 2.6.4
Orangehrm Orangehrm	Version 2.6.5
Orangehrm Orangehrm	Version 2.6.6
Orangehrm Orangehrm	Version 2.6.7
Orangehrm Orangehrm	Version 2.6.8.1
Orangehrm Orangehrm	Version 2.6.8
Orangehrm Orangehrm	Version 2.6.9
Orangehrm Orangehrm	Version 2.6

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (16)

http://blog.orangehrm.com/2012/04/24/orangehrm-27-stable-release-with-complete-localization/

Source: cve@mitre.org

Patch

http://osvdb.org/81744

Source: cve@mitre.org

http://osvdb.org/81745

Source: cve@mitre.org

http://osvdb.org/81746

Source: cve@mitre.org

http://secunia.com/advisories/49072

Source: cve@mitre.org

http://www.securityfocus.com/bid/53433

Source: cve@mitre.org

Exploit

https://exchange.xforce.ibmcloud.com/vulnerabilities/75473

Source: cve@mitre.org

https://www.htbridge.com/advisory/HTB23080

Source: cve@mitre.org

Exploit

http://blog.orangehrm.com/2012/04/24/orangehrm-27-stable-release-with-complete-localization/

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

http://osvdb.org/81744

Source: af854a3a-2127-422b-91ae-364da2661108

http://osvdb.org/81745

Source: af854a3a-2127-422b-91ae-364da2661108

http://osvdb.org/81746

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/49072

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.securityfocus.com/bid/53433

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit

https://exchange.xforce.ibmcloud.com/vulnerabilities/75473

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.htbridge.com/advisory/HTB23080

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit

Timeline

No history available yet.