Unauthorized Data Manipulation Vulnerability in Orange HRM

[vishnu raju <rajuvishnu52 () gmail com>]

Hi all,

Greetings from Vishnu (@dH4wk)

Vulnerability title: *Unauthorized Data Manipulation Vulnerability*

Vendor: OrangeHRM

Product: HRM s/w

Affected version: 3.3.1 and below

Fixed version: 3.3.2

**Summary**:

  OrangeHRM Open Source is a free HR management system that offers a wealth
of modules to suit the needs of your business. This widely-used system is
feature-rich,
 intuitive and provides an essential HR management platform along with free
documentation and access to a broad community of users.

**Vulnerability Description**:

 The software allows the employer to track their employees attendance. The
feature allows user to punchin and punchout once they are in and out of the
office, respectively. The
vulnerability in the software allows any employee to tamper their
attendance at any time. I am *attaching the screenshots* on how this
vulnerability can be exploited.

The tampering should be done in two request (as seen in the screenshots)
respectively at:
(1) Punchin Request
(2) Puchin Overlapping Validation

**Conclusion**
 This has been reported to Orange HRM and has been fixed on the version
3.3.2

*I appreciate Orange HRM, for the support and immediate response that they
have shown in fixing the issue.*

Happy Hunting!!!

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/