Hi all, Greetings from Vishnu (@dH4wk) Vulnerability title: *Unauthorized Data Manipulation Vulnerability* Vendor: OrangeHRM Product: HRM s/w Affected version: 3.3.1 and below Fixed version: 3.3.2 **Summary**: OrangeHRM Open Source is a free HR management system that offers a wealth of modules to suit the needs of your business. This widely-used system is feature-rich, intuitive and provides an essential HR management platform along with free documentation and access to a broad community of users. **Vulnerability Description**: The software allows the employer to track their employees attendance. The feature allows user to punchin and punchout once they are in and out of the office, respectively. The vulnerability in the software allows any employee to tamper their attendance at any time. I am *attaching the screenshots* on how this vulnerability can be exploited. The tampering should be done in two request (as seen in the screenshots) respectively at: (1) Punchin Request (2) Puchin Overlapping Validation **Conclusion** This has been reported to Orange HRM and has been fixed on the version 3.3.2 *I appreciate Orange HRM, for the support and immediate response that they have shown in fixing the issue.* Happy Hunting!!!
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment