CVE-2012-1506

SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the hspSummaryId parameter to plugins/ajaxCalls/haltResumeHsp.php.  NOTE: some of these details are obtained from third party information.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:S/C:P/I:P/A:P
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 83%
VendorProductVersion
orangehrmorangehrm
𝑥
≤ 2.6.12.1
orangehrmorangehrm
2.6
orangehrmorangehrm
2.6.0
orangehrmorangehrm
2.6.0.1
orangehrmorangehrm
2.6.1
orangehrmorangehrm
2.6.2
orangehrmorangehrm
2.6.3
orangehrmorangehrm
2.6.4
orangehrmorangehrm
2.6.5
orangehrmorangehrm
2.6.6
orangehrmorangehrm
2.6.7
orangehrmorangehrm
2.6.8
orangehrmorangehrm
2.6.8.1
orangehrmorangehrm
2.6.9
orangehrmorangehrm
2.6.10
orangehrmorangehrm
2.6.11
orangehrmorangehrm
2.6.11.2
orangehrmorangehrm
2.6.11.3
orangehrmorangehrm
2.6.12
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://blog.orangehrm.com/2012/04/24/orangehrm-27-stable-release-with-complete-localization/
http://osvdb.org/81743
http://secunia.com/advisories/49072
http://www.securityfocus.com/bid/53433
https://exchange.xforce.ibmcloud.com/vulnerabilities/75472
https://www.htbridge.com/advisory/HTB23080
http://blog.orangehrm.com/2012/04/24/orangehrm-27-stable-release-with-complete-localization/
http://osvdb.org/81743
http://secunia.com/advisories/49072
http://www.securityfocus.com/bid/53433
https://exchange.xforce.ibmcloud.com/vulnerabilities/75472
https://www.htbridge.com/advisory/HTB23080