In our endeavor to make OrangeHRM a highly secure enterprise application, we'll soon be releasing a patch (220.127.116.11) for the latest stable version of OrangeHRM, with a few security improvements. We're thankful to our community and various organizations that continue to test OrangeHRM and bring existing issues to our attention. We're committed to fix these issues as soon as possible, and continue to improve the level of security in OrangeHRM.
The following bugs have been reported, and our development team is now fixing them:
- 3003346 Potential SQL injection vulnerability with ess login
- 3001611 Ess module is vulenerable to xss
- 3003358 Possible CSRF and PHP code injection
- 3003361 Not sanitized ajax reponses leads to XSS vulnerability
- 3000555 Sanitize the input data in jobs.php
We will soon make the fixes available with OrangeHRM 18.104.22.168.
In addition to security testing performed by external organizations, we've internally formed a security testing team, who will continue to test each new version of OrangeHRM thoroughly for possible security flaws.
We'll be posting updates about our progress on this blog.