CNNVD-202511-3030 Information

CNNVD ID

CNNVD-202511-3030

Related CVE

CVE-2025-66290

• CNNVD Published: 2025-11-29

Description (Chinese)

OrangeHRM是美国OrangeHRM公司的一套人力资源管理系统（HRM）。该系统支持人事信息管理、休假管理、考勤管理和招聘管理等功能。 OrangeHRM 5.0版本至5.7版本存在授权问题漏洞，该漏洞源于招聘附件检索端点授权检查不足，可能导致敏感数据泄露。

Description (English)

OrangeHRM is a human resources management system (HRM) for OrangeHRM in the United States. The system supports functions such as personnel information management, leave administration, attendance and recruitment management. There is a delegation of authority gap in OrangeHRM versions 5.0 to 5.7, which stems from the lack of delegated authority to search endpoints for recruitment attachments, which may lead to the disclosure of sensitive data.

Hazard Level

High

Vulnerability Type

授权问题

Affected Vendor

OrangeHRM

Published

2025-11-29

Last Modified

2026-02-24

References

https://github.com/orangehrm/orangehrm/security/advisories/GHSA-qf8r-c54j-jw88 https://access.redhat.com/security/cve/cve-2025-66290

Patch

https://www.orangehrm.com/