CVE-2025-44040

High CVSS: 7.2

An issue in OrangeHRM v.5.7 allows an attacker to escalate privileges via UserService.php and the checkForOldHash function. Authentication decisions may be made via PHP loose-equality comparisons if a specific MD5 value is present in the credential store. NOTE: this is disputed by the Supplier because an adversary has no way to place the specific MD5 value into the credential store (unless they already have full privileges) and because the specific MD5 value would not realistically be present otherwise.

Vendor

Orangehrm

Product

Orangehrm

CWE

CWE-269

Yayın Tarihi

2025-05-21 21:16:03

Güncelleme

2025-10-13 20:15:33

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-269 Orangehrm HIGH Orangehrm 2025

Referanslar

https://github.com/hexomedin3/advisories/tree/main/CVE-2025-44040 https://github.com/orangehrm/orangehrm/releases/tag/v5.7

Benzer Kayıtlar

Medium

CVE-2025-66290

OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application’s recruitm…

Medium

CVE-2025-66291

OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the interview attachment r…

Critical

CVE-2025-66224

OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application contains a…

High

CVE-2025-66225

OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the password reset workflo…

High

CVE-2025-66289

OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application does not i…