Security Advisory, weiße Schrift auf dunklem Hintergrund

Security Advisories on OrangeHRM und memos

16. December 2025
News | Pentests & Security Analyses | Security Advisories | usd HeroLab

The pentest professionals at usd HeroLab identified multiple vulnerabilities in the applications OrangeHRM and memos during web application pentests.

The vulnerabilities were reported to the vendors as part of the Responsible Disclosure Policy. Detailed information on the advisories can be found here:

OrangeHRM

During the examination of the OrangeHRM software, two vulnerabilities were identified. The first vulnerability allows a user with low privileges to take over any account, including the administrator's, using the password reset function. The second vulnerability allows a user with administrative privileges to execute arbitrary system commands.

IDProductVulnerability Type
usd-2025-0046OrangeHRMWeak Password Recovery Mechanism for Forgotten Password (CWE-640)
usd-2025-0047OrangeHRMImproper Neutralization of Special Elements used in an OS Command (CWE-78)

memos

Additional vulnerabilities were discovered in the software memos. These consist of a series of inadequate access controls. In addition, authenticated users can overwrite any files and thus bring the system to a complete standstill.

IDProductVulnerability Type
usd-2025-0056memosRelative Path Traversal (CWE-23)
usd-2025-0057memosMissing Authorization (CWE-862)
usd-2025-0058memosMissing Authorization (CWE-862)
usd-2025-0059memosMissing Authorization (CWE-862)
usd-2025-0060memosMissing Authorization (CWE-862)
usd-2025-0061memosMissing Authorization (CWE-862)

About usd HeroLab Security Advisories

In order to protect businesses against hackers and criminals, we must ensure that our skills and knowledge are up to date at all times. Therefore, security research is just as important to our work as is building up a security community to promote an exchange of knowledge. After all, more security can only be achieved if many people take on the task.

We analyze attack scenarios, which are changing constantly, and publish a series of Security Advisories on current vulnerabilities and security issues – always in line with our Responsible Disclosure Policy.

Always in the name of our mission: “more security.”

memos | Missing Authorization | OrangeHRM | SECURITY ADVISORY | SECURITY RESEARCH

Also interesting:

Security Advisories on PRTG Network Monitor

Security Advisories on PRTG Network Monitor

Jan 23, 2026

The pentest professionals at usd HeroLab examined the PRTG Network Monitor web application as part of web application pentests and identified several vulnerabilities. Two vulnerabilities relate to cross-site scripting (XSS), which allows attackers to inject JavaScript...

Categories

Categories

#BeAware Cloud Security Customer Stories  | Cyber Defence  |  Cybersecurity Tips  |  Events & Community Financial Sector & Compliance  |  Life@usd  |  News  |  PCI -Tipps  |  PCI News Pentest Insights  |  Security Audits  |  Security Research  |  usd Updates