CVE-2012-1507

EUVD-2012-1525
Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to plugins/ajaxCalls/haltResumeHsp.php, (2) sortOrder1 parameter to templates/hrfunct/emppop.php, or (3) uri parameter to index.php.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 85%
Affected Products (NVD)
VendorProductVersion
orangehrmorangehrm
𝑥
≤ 2.6.12.1
orangehrmorangehrm
2.6
orangehrmorangehrm
2.6.0
orangehrmorangehrm
2.6.0.1
orangehrmorangehrm
2.6.1
orangehrmorangehrm
2.6.2
orangehrmorangehrm
2.6.3
orangehrmorangehrm
2.6.4
orangehrmorangehrm
2.6.5
orangehrmorangehrm
2.6.6
orangehrmorangehrm
2.6.7
orangehrmorangehrm
2.6.8
orangehrmorangehrm
2.6.8.1
orangehrmorangehrm
2.6.9
orangehrmorangehrm
2.6.10
orangehrmorangehrm
2.6.11
orangehrmorangehrm
2.6.11.2
orangehrmorangehrm
2.6.11.3
orangehrmorangehrm
2.6.12
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://blog.orangehrm.com/2012/04/24/orangehrm-27-stable-release-with-complete-localization/
http://osvdb.org/81744
http://osvdb.org/81745
http://osvdb.org/81746
http://secunia.com/advisories/49072
http://www.securityfocus.com/bid/53433
https://exchange.xforce.ibmcloud.com/vulnerabilities/75473
https://www.htbridge.com/advisory/HTB23080
http://blog.orangehrm.com/2012/04/24/orangehrm-27-stable-release-with-complete-localization/
http://osvdb.org/81744
http://osvdb.org/81745
http://osvdb.org/81746
http://secunia.com/advisories/49072
http://www.securityfocus.com/bid/53433
https://exchange.xforce.ibmcloud.com/vulnerabilities/75473
https://www.htbridge.com/advisory/HTB23080