{"id":62924,"date":"2025-12-16T13:42:31","date_gmt":"2025-12-16T12:42:31","guid":{"rendered":"https:\/\/www.usd.de\/?p=62924"},"modified":"2025-12-16T13:42:33","modified_gmt":"2025-12-16T12:42:33","slug":"security-advisories-orange-hrm-and-memos","status":"publish","type":"post","link":"https:\/\/www.usd.de\/en\/security-advisories-orange-hrm-and-memos\/","title":{"rendered":"Security Advisories on OrangeHRM und memos"},"content":{"rendered":"\n

The\u00a0pentest professionals<\/a>\u00a0at\u00a0usd HeroLab<\/a>\u00a0identified multiple vulnerabilities in the applications\u00a0OrangeHRM<\/strong>\u00a0and\u00a0memos<\/strong>\u00a0during\u00a0web application pentests<\/a>.<\/p>\n\n\n\n

The vulnerabilities were reported to the vendors as part of the\u00a0Responsible Disclosure Policy<\/a>. Detailed information on the advisories can be found here:<\/p>\n\n\n\n

<\/div>\n\n\n\n

OrangeHRM<\/h2>\n\n\n\n

During the examination of the OrangeHRM software, two vulnerabilities were identified. The first vulnerability allows a user with low privileges to take over any account, including the administrator's, using the password reset function. The second vulnerability allows a user with administrative privileges to execute arbitrary system commands.<\/p>\n\n\n\n

ID<\/strong><\/th>Product<\/th>Vulnerability Type<\/strong><\/th><\/tr><\/thead>
usd-2025-0046<\/a><\/td>OrangeHRM<\/td>Weak Password Recovery Mechanism for Forgotten Password (CWE-640)<\/td><\/tr>
usd-2025-0047<\/a><\/td>OrangeHRM<\/td>Improper Neutralization of Special Elements used in an OS Command (CWE-78)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
<\/div>\n\n\n\n

memos<\/h2>\n\n\n\n

Additional vulnerabilities were discovered in the software memos. These consist of a series of inadequate access controls. In addition, authenticated users can overwrite any files and thus bring the system to a complete standstill.<\/p>\n\n\n\n

ID<\/th>Product<\/th>Vulnerability Type<\/strong><\/th><\/tr><\/thead>
usd-2025-0056<\/a><\/td>memos<\/td>Relative Path Traversal (CWE-23)<\/td><\/tr>
usd-2025-0057<\/a><\/td>memos<\/td>Missing Authorization (CWE-862)<\/td><\/tr>
usd-2025-0058<\/a><\/td>memos<\/td>Missing Authorization (CWE-862)<\/td><\/tr>
usd-2025-0059<\/a><\/td>memos<\/td>Missing Authorization (CWE-862)<\/td><\/tr>
usd-2025-0060<\/a><\/td>memos<\/td>Missing Authorization (CWE-862)<\/td><\/tr>
usd-2025-0061<\/a><\/td>memos<\/td>Missing Authorization (CWE-862)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
<\/div>\n\n\n\n

About usd HeroLab Security Advisories<\/h2>\n\n\n\n

In order to protect businesses against hackers and criminals, we must ensure that our skills and knowledge are up to date at all times. Therefore, security research is just as important to our work as is building up a security community to promote an exchange of knowledge. After all, more security can only be achieved if many people take on the task.<\/p>\n\n\n\n

We analyze attack scenarios, which are changing constantly, and publish a series of Security Advisories on current vulnerabilities and security issues \u2013 always in line with our Responsible Disclosure Policy<\/a>.<\/p>\n\n\n\n

Always in the name of our mission: \u201cmore security.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"

The\u00a0pentest professionals\u00a0at\u00a0usd HeroLab\u00a0identified multiple vulnerabilities in the applications\u00a0OrangeHRM\u00a0and\u00a0memos\u00a0during\u00a0web application pentests. The vulnerabilities were reported to the vendors as part of the\u00a0Responsible Disclosure Policy. Detailed information on the advisories can be found here: OrangeHRM During the examination of the OrangeHRM software, two vulnerabilities were identified. The first vulnerability allows a user with low privileges to take […]<\/p>\n","protected":false},"author":120,"featured_media":46998,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"off","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"categories":[373,374,1674,10757],"tags":[14916,14917,14915,8541,381],"class_list":["post-62924","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-en","category-pentests-security-analyses-en","category-security-advisories-en","category-usd-herolab-en","tag-memos","tag-missing-authorization","tag-orangehrm","tag-security-advisory-en","tag-security-research-en"],"_links":{"self":[{"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/posts\/62924","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/users\/120"}],"replies":[{"embeddable":true,"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/comments?post=62924"}],"version-history":[{"count":3,"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/posts\/62924\/revisions"}],"predecessor-version":[{"id":62931,"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/posts\/62924\/revisions\/62931"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/media\/46998"}],"wp:attachment":[{"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/media?parent=62924"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/categories?post=62924"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/tags?post=62924"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}