Security Advisory, weiße Schrift auf dunklem Hintergrund

Security Advisories on OrangeHRM und memos

16. December 2025
News | Pentests & Security Analyses | Security Advisories | usd HeroLab

The pentest professionals at usd HeroLab identified multiple vulnerabilities in the applications OrangeHRM and memos during web application pentests.

The vulnerabilities were reported to the vendors as part of the Responsible Disclosure Policy. Detailed information on the advisories can be found here:

OrangeHRM

During the examination of the OrangeHRM software, two vulnerabilities were identified. The first vulnerability allows a user with low privileges to take over any account, including the administrator's, using the password reset function. The second vulnerability allows a user with administrative privileges to execute arbitrary system commands.

IDProductVulnerability Type
usd-2025-0046OrangeHRMWeak Password Recovery Mechanism for Forgotten Password (CWE-640)
usd-2025-0047OrangeHRMImproper Neutralization of Special Elements used in an OS Command (CWE-78)

memos

Additional vulnerabilities were discovered in the software memos. These consist of a series of inadequate access controls. In addition, authenticated users can overwrite any files and thus bring the system to a complete standstill.

IDProductVulnerability Type
usd-2025-0056memosRelative Path Traversal (CWE-23)
usd-2025-0057memosMissing Authorization (CWE-862)
usd-2025-0058memosMissing Authorization (CWE-862)
usd-2025-0059memosMissing Authorization (CWE-862)
usd-2025-0060memosMissing Authorization (CWE-862)
usd-2025-0061memosMissing Authorization (CWE-862)

About usd HeroLab Security Advisories

In order to protect businesses against hackers and criminals, we must ensure that our skills and knowledge are up to date at all times. Therefore, security research is just as important to our work as is building up a security community to promote an exchange of knowledge. After all, more security can only be achieved if many people take on the task.

We analyze attack scenarios, which are changing constantly, and publish a series of Security Advisories on current vulnerabilities and security issues – always in line with our Responsible Disclosure Policy.

Always in the name of our mission: “more security.”

memos | Missing Authorization | OrangeHRM | SECURITY ADVISORY | SECURITY RESEARCH

Also interesting:

Part-IS and ISO 27001: How to Leverage Synergies for Your Compliance

Part-IS and ISO 27001: How to Leverage Synergies for Your Compliance

Jan 14, 2026

On 22 February 2026, the EU Regulation Part-IS for aviation organizations will come into force. They must manage information security risks in a way that best protects civil aviation safety. Many already rely on an ISMS according to ISO 27001 – but is that enough for...

DORA Deep Dive: Threat-Led Penetration Testing (TLPT)

DORA Deep Dive: Threat-Led Penetration Testing (TLPT)

Dec 11, 2025

Since the publication of the original blog post in May 2024, the final version of the RTS for TLPT has been released. The blog post has been updated accordingly and now covers the current requirements. The Digital Operational Resilience Act (DORA) came into force on...

Categories

Categories

#BeAware Cloud Security Customer Stories  | Cyber Defence  |  Cybersecurity Tips  |  Events & Community Financial Sector & Compliance  |  Life@usd  |  News  |  PCI -Tipps  |  PCI News Pentest Insights  |  Security Audits  |  Security Research  |  usd Updates