CVE-2011-5258
published 2013-02-12CVE-2011-5258: Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.6.11.2 allow remote attackers to inject arbitrary web script or HTML via the (1)…
PriorityP420medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
2.09%
79.3th percentile
Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.6.11.2 allow remote attackers to inject arbitrary web script or HTML via the (1) uniqcode or (2) isAdmin parameter to index.php; or the (3) PATH_INFO to lib/controllers/centralcontroller.php.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| orangehrm | orangehrm | <= 2.6.11 | — |
| orangehrm | orangehrm | — | — |
| orangehrm | orangehrm | — | — |
| orangehrm | orangehrm | — | — |
| orangehrm | orangehrm | — | — |
| orangehrm | orangehrm | — | — |
| orangehrm | orangehrm | — | — |
| orangehrm | orangehrm | — | — |
| orangehrm | orangehrm | — | — |
| orangehrm | orangehrm | — | — |
| orangehrm | orangehrm | — | — |
| orangehrm | orangehrm | — | — |
| orangehrm | orangehrm | — | — |
| orangehrm | orangehrm | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
OrangeHRM 2.6.11 - 'lib/controllers/CentralController.php' URI Cross-Site Scripting
exploitdb·2011-11-30
CVE-2011-5258 OrangeHRM 2.6.11 - 'lib/controllers/CentralController.php' URI Cross-Site Scripting
OrangeHRM 2.6.11 - 'lib/controllers/CentralController.php' URI Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/50857/info
OrangeHRM is prone to an SQL-injection and multiple cross-site scripting vulnerabilities.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
OrangeHRM 2.6.11 is vulnerable; prior versions may also be affected.
http://www.example.com/lib/controllers/centralcontroller.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C /script%3E/?uniqcode=USR&VIEW=MAIN&isAdmin=1
Exploit-DB
OrangeHRM 2.6.11 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities
exploitdb·2011-11-30
CVE-2011-5258 OrangeHRM 2.6.11 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities
OrangeHRM 2.6.11 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities
---
source: https://www.securityfocus.com/bid/50857/info
OrangeHRM is prone to an SQL-injection and multiple cross-site scripting vulnerabilities.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
OrangeHRM 2.6.11 is vulnerable; prior versions may also be affected.
http://www.example.com/index.php?menu_no_top=eim&uniqcode=%22%3E%3C/iframe%3E%3Cscript%3Ealert%28123%29;% 3C/script%3E
http://www.example.com/index.php?menu_no_top=eim&uniqcode=USR&isAdmin=%22%3E%3C/iframe%3E%3Cscript%3E alert%28123%29;%3C/script%3E
No writeups or analysis indexed.
http://blog.orangehrm.com/2011/12/09/security-vulnerabilities-fixed-with-orangehrm-26112/http://osvdb.org/show/osvdb/77416http://osvdb.org/show/osvdb/77417http://secunia.com/advisories/47014http://www.securityfocus.com/archive/1/520684/100/0/threadedhttp://www.securityfocus.com/bid/50857https://exchange.xforce.ibmcloud.com/vulnerabilities/71568https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_orangehrm.htmlhttp://blog.orangehrm.com/2011/12/09/security-vulnerabilities-fixed-with-orangehrm-26112/http://osvdb.org/show/osvdb/77416http://osvdb.org/show/osvdb/77417http://secunia.com/advisories/47014http://www.securityfocus.com/archive/1/520684/100/0/threadedhttp://www.securityfocus.com/bid/50857https://exchange.xforce.ibmcloud.com/vulnerabilities/71568https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_orangehrm.html
2013-02-12
Published