Home page logo

fulldisclosure logo Full Disclosure mailing list archives

OrangeHRM 2.7.1 Vacancy Name Persistent XSS
From: "SBV Research" <research () silverbackventuresllc com>
Date: Thu, 10 Jan 2013 05:00:00 -0700

OrangeHRM[1] 2.7.1[2] -- the latest stable release as of this writing --
suffers from a persistent XSS in the vacancy name variable. Steps:
1. Navigate to following URL:

2. Add or Edit a Vacancy
3. In the Vacancy Name parameter put XSS script
4. Save
5. Navigate back to top Vacancy page (click back button)
6. Witness XSS
Screen shots of above exploit steps may be found on my website (for
those who want additional validation):
I contacted OrangeHRM[3] but did not receive a reply.

PS -Currently on twitter:

[1] http://sourceforge.net/projects/orangehrm/
[2] http://sourceforge.net/projects/orangehrm/files/stable/2.7.1/
[3] http://www.orangehrm.com/
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • OrangeHRM 2.7.1 Vacancy Name Persistent XSS SBV Research (Jan 10)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]