CVE-2012-1506

EUVD-2012-1524
SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the hspSummaryId parameter to plugins/ajaxCalls/haltResumeHsp.php.  NOTE: some of these details are obtained from third party information.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:S/C:P/I:P/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 84%
Affected Products (NVD)
VendorProductVersion
orangehrmorangehrm
𝑥
≤ 2.6.12.1
orangehrmorangehrm
2.6
orangehrmorangehrm
2.6.0
orangehrmorangehrm
2.6.0.1
orangehrmorangehrm
2.6.1
orangehrmorangehrm
2.6.2
orangehrmorangehrm
2.6.3
orangehrmorangehrm
2.6.4
orangehrmorangehrm
2.6.5
orangehrmorangehrm
2.6.6
orangehrmorangehrm
2.6.7
orangehrmorangehrm
2.6.8
orangehrmorangehrm
2.6.8.1
orangehrmorangehrm
2.6.9
orangehrmorangehrm
2.6.10
orangehrmorangehrm
2.6.11
orangehrmorangehrm
2.6.11.2
orangehrmorangehrm
2.6.11.3
orangehrmorangehrm
2.6.12
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://blog.orangehrm.com/2012/04/24/orangehrm-27-stable-release-with-complete-localization/
http://osvdb.org/81743
http://secunia.com/advisories/49072
http://www.securityfocus.com/bid/53433
https://exchange.xforce.ibmcloud.com/vulnerabilities/75472
https://www.htbridge.com/advisory/HTB23080
http://blog.orangehrm.com/2012/04/24/orangehrm-27-stable-release-with-complete-localization/
http://osvdb.org/81743
http://secunia.com/advisories/49072
http://www.securityfocus.com/bid/53433
https://exchange.xforce.ibmcloud.com/vulnerabilities/75472
https://www.htbridge.com/advisory/HTB23080