CVE-2012-5367 Information

Feb 14, 2021 cve

Description

Multiple SQL injection vulnerabilities in OrangeHRM 2.7.1 RC 1 allow remote authenticated administrators to execute arbitrary SQL commands via the sortField parameter to (1) viewCustomers (2) viewPayGrades or (3) viewSystemUsers in symfony/web/index.php/admin/ as demonstrated using cross-site request forgery (CSRF) attacks.

Reference

http://archives.neohapsis.com/archives/bugtraq/2012-11/0029.html http://osvdb.org/86858 http://packetstormsecurity.org/files/117925/OrangeHRM-2.7.1-rc.1-Cross-Site-Request-Forgery-SQL-Injection.html http://www.securityfocus.com/bid/56417 https://exchange.xforce.ibmcloud.com/vulnerabilities/79833 https://www.htbridge.com/advisory/HTB23119

Share on: