Home / vulnerabilities OrangeHRM 3.3.1 Unauthorized Data Manipulation
Posted on 29 September 2015
Source : packetstormsecurity.org Link
Vulnerability title: *Unauthorized Data Manipulation Vulnerability*
Vendor: OrangeHRM
Product: HRM s/w
Affected version: 3.3.1 and below
Fixed version: 3.3.2
**Summary**:
OrangeHRM Open Source is a free HR management system that offers a wealth
of modules to suit the needs of your business. This widely-used system is
feature-rich,
intuitive and provides an essential HR management platform along with free
documentation and access to a broad community of users.
**Vulnerability Description**:
The software allows the employer to track their employees attendance. The
feature allows user to punchin and punchout once they are in and out of the
office, respectively. The
vulnerability in the software allows any employee to tamper their
attendance at any time. I am *attaching the screenshots* on how this
vulnerability can be exploited.
The tampering should be done in two request (as seen in the screenshots)
respectively at:
(1) Punchin Request
(2) Puchin Overlapping Validation
**Conclusion**
This has been reported to Orange HRM and has been fixed on the version
3.3.2
*I appreciate Orange HRM, for the support and immediate response that they
have shown in fixing the issue.*
Happy Hunting!!!
