CVE-2012-1506

medium

Published 2014-09-17 · Modified 2026-05-06

CVSS v3

—

CVSS v2

6.5

VIR risk

6.5

Description

SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the hspSummaryId parameter to plugins/ajaxCalls/haltResumeHsp.php. NOTE: some of these details are obtained from third party information.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — http://blog.orangehrm.com/2012/04/24/orangehrm-27-stable-release-with-complete-localization/

Application impact

Vendor	Product	Versions
orangehrm	orangehrm	`{"endIncluding":"2.6.12.1"}`
orangehrm	orangehrm	`2.6`
orangehrm	orangehrm	`2.6.0`
orangehrm	orangehrm	`2.6.0.1`
orangehrm	orangehrm	`2.6.1`
orangehrm	orangehrm	`2.6.2`
orangehrm	orangehrm	`2.6.3`
orangehrm	orangehrm	`2.6.4`
orangehrm	orangehrm	`2.6.5`
orangehrm	orangehrm	`2.6.6`
orangehrm	orangehrm	`2.6.7`
orangehrm	orangehrm	`2.6.8`
orangehrm	orangehrm	`2.6.8.1`
orangehrm	orangehrm	`2.6.9`
orangehrm	orangehrm	`2.6.10`
orangehrm	orangehrm	`2.6.11`
orangehrm	orangehrm	`2.6.11.2`
orangehrm	orangehrm	`2.6.11.3`
orangehrm	orangehrm	`2.6.12`

References

CWEs

CWE-89

Verify integrity in audit chain (admin only). AS-IS.