CVE-2025-66224
BaseFortify
Publication date: 2025-11-29
Last updated on: 2025-12-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| orangehrm | orangehrm | From 5.0 (inc) to 5.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in OrangeHRM versions 5.0 to 5.7 is due to an input-neutralization flaw in the mail configuration and delivery workflow. User-controlled input is directly incorporated into the system's sendmail command without proper sanitization or constraints. This allows unintended sendmail behaviors during email processing, enabling the application to write files on the server. If these files are placed in web-accessible locations, an attacker can execute malicious content on the server. The root cause is constructing OS-level command strings using unsanitized input in the mail-sending logic. The issue is fixed in version 5.8.
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution by allowing attackers to write and execute malicious files on the server through the mail-handling process. This compromises the server's security, potentially leading to unauthorized access, data breaches, and control over the affected system.
What immediate steps should I take to mitigate this vulnerability?
Upgrade OrangeHRM to version 5.8 or later, where the vulnerability has been patched.