OrangeHRM, more secure than ever By Himath

In our endeavor to make OrangeHRM a highly secure enterprise application, we'll soon be releasing a patch (2.5.0.5) for the latest stable version of OrangeHRM, with a few security improvements. We're thankful to our community and various organizations that continue to test OrangeHRM and bring existing issues to our attention. We're committed to fix these issues as soon as possible, and continue to improve the level of security in OrangeHRM. The following bugs have been reported, and our development team is now fixing them:
  • 3003346     Potential SQL injection vulnerability with ess login
  • 3001611     Ess module is vulenerable to xss
  • 3003358     Possible CSRF and PHP code injection
  • 3003361     Not sanitized ajax reponses leads to XSS vulnerability
  • 3000555     Sanitize the input data in jobs.php
We will soon make the fixes available with OrangeHRM 2.5.0.5. In addition to security testing performed by external organizations, we've internally formed a security testing team, who will continue to test each new version of OrangeHRM thoroughly for possible security flaws. We'll be posting updates about our progress on this blog.