Security Advisory, weiße Schrift auf dunklem Hintergrund

Security Advisories on OrangeHRM und memos

16. December 2025
News | Pentests & Security Analyses | Security Advisories | usd HeroLab

The pentest professionals at usd HeroLab identified multiple vulnerabilities in the applications OrangeHRM and memos during web application pentests.

The vulnerabilities were reported to the vendors as part of the Responsible Disclosure Policy. Detailed information on the advisories can be found here:

OrangeHRM

During the examination of the OrangeHRM software, two vulnerabilities were identified. The first vulnerability allows a user with low privileges to take over any account, including the administrator's, using the password reset function. The second vulnerability allows a user with administrative privileges to execute arbitrary system commands.

IDProductVulnerability Type
usd-2025-0046OrangeHRMWeak Password Recovery Mechanism for Forgotten Password (CWE-640)
usd-2025-0047OrangeHRMImproper Neutralization of Special Elements used in an OS Command (CWE-78)

memos

Additional vulnerabilities were discovered in the software memos. These consist of a series of inadequate access controls. In addition, authenticated users can overwrite any files and thus bring the system to a complete standstill.

IDProductVulnerability Type
usd-2025-0056memosRelative Path Traversal (CWE-23)
usd-2025-0057memosMissing Authorization (CWE-862)
usd-2025-0058memosMissing Authorization (CWE-862)
usd-2025-0059memosMissing Authorization (CWE-862)
usd-2025-0060memosMissing Authorization (CWE-862)
usd-2025-0061memosMissing Authorization (CWE-862)

About usd HeroLab Security Advisories

In order to protect businesses against hackers and criminals, we must ensure that our skills and knowledge are up to date at all times. Therefore, security research is just as important to our work as is building up a security community to promote an exchange of knowledge. After all, more security can only be achieved if many people take on the task.

We analyze attack scenarios, which are changing constantly, and publish a series of Security Advisories on current vulnerabilities and security issues – always in line with our Responsible Disclosure Policy.

Always in the name of our mission: “more security.”

memos | Missing Authorization | OrangeHRM | SECURITY ADVISORY | SECURITY RESEARCH

Also interesting:

DORA Deep Dive: Threat-Led Penetration Testing (TLPT)

DORA Deep Dive: Threat-Led Penetration Testing (TLPT)

Dec 11, 2025

Since the publication of the original blog post in May 2024, the final version of the RTS for TLPT has been released. The blog post has been updated accordingly and now covers the current requirements. The Digital Operational Resilience Act (DORA) came into force on...

Red Teaming: 5 Questions Every IT Leader Wants Answered

Red Teaming: 5 Questions Every IT Leader Wants Answered

Dec 3, 2025

Many companies invest in firewalls, endpoint protection, and awareness training, assuming that this puts them in a strong position. But the reality is different: attackers do not think in terms of tools, but in terms of targets. They combine technical vulnerabilities...

Categories

Categories

#BeAware Cloud Security Customer Stories  | Cyber Defence  |  Cybersecurity Tips  |  Events & Community Financial Sector & Compliance  |  Life@usd  |  News  |  PCI -Tipps  |  PCI News Pentest Insights  |  Security Audits  |  Security Research  |  usd Updates