Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-5367

Overview

Vulnerability Score 6.0 6.0
CVE Id CVE-2012-5367
Last Modified 21 Aug 2013 11:59:56
Published 03 Dec 2012 04:55:01
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity MEDIUM
Authentication SINGLE_INSTANCE

CVE-2012-5367

Summary

Multiple SQL injection vulnerabilities in OrangeHRM 2.7.1 RC 1 allow remote authenticated administrators to execute arbitrary SQL commands via the sortField parameter to (1) viewCustomers, (2) viewPayGrades, or (3) viewSystemUsers in symfony/web/index.php/admin/, as demonstrated using cross-site request forgery (CSRF) attacks.

Vulnerable Systems

Application

  • Orangehrm 2.7.1


References

MISC - https://www.htbridge.com/advisory/HTB23119

BID - 56417

BUGTRAQ - 20121105 SQL Injection Vulnerability in OrangeHRM

OSVDB - 86858

XF - orangehrm-index-sql-injection(79833)

MISC - http://packetstormsecurity.org/files/117925/OrangeHRM-2.7.1-rc.1-Cross-Site-Request-Forgery-SQL-Injection.html


Last Updated: 27 May 2016 11:02:48