OrangeHRM versions 3.3.1 and below suffer from an unauthorized data manipulation vulnerability.
1f29e60d43418bbd4fba574abac4e07b014ed91d412c75eedb2deb6a5aa41d16
Vulnerability title: *Unauthorized Data Manipulation Vulnerability*
Vendor: OrangeHRM
Product: HRM s/w
Affected version: 3.3.1 and below
Fixed version: 3.3.2
**Summary**:
OrangeHRM Open Source is a free HR management system that offers a wealth
of modules to suit the needs of your business. This widely-used system is
feature-rich,
intuitive and provides an essential HR management platform along with free
documentation and access to a broad community of users.
**Vulnerability Description**:
The software allows the employer to track their employees attendance. The
feature allows user to punchin and punchout once they are in and out of the
office, respectively. The
vulnerability in the software allows any employee to tamper their
attendance at any time. I am *attaching the screenshots* on how this
vulnerability can be exploited.
The tampering should be done in two request (as seen in the screenshots)
respectively at:
(1) Punchin Request
(2) Puchin Overlapping Validation
**Conclusion**
This has been reported to Orange HRM and has been fixed on the version
3.3.2
*I appreciate Orange HRM, for the support and immediate response that they
have shown in fixing the issue.*
Happy Hunting!!!