CVE-2025-66225
中文标题:
(暂无数据)
英文标题:
OrangeHRM is Vulnerable to Account Takeover Through Unvalidated Username in Password Reset Workflow
漏洞描述
中文描述:
(暂无数据)
英文描述:
OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the password reset workflow does not enforce that the username submitted in the final reset request matches the account for which the reset process was originally initiated. After obtaining a valid reset link for any account they can receive email for, an attacker can alter the username parameter in the final reset request to target a different user. Because the system accepts the supplied username without verification, the attacker can set a new password for any chosen account, including privileged accounts, resulting in full account takeover. This issue has been patched in version 5.8.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| orangehrm | orangehrm | >= 5.0, < 5.8 | - | - |
cpe:2.3:a:orangehrm:orangehrm:>=_5.0,_<_5.8:*:*:*:*:*:*:*
|
| orangehrm | orangehrm | * | - | - |
cpe:2.3:a:orangehrm:orangehrm:*:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
参考链接
cve.org
CVSS评分详情
4.0 (cna)
HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2025-66225 |
2025-12-03 03:24:31 | 2026-01-12 02:12:24 |
| NVD | nvd_CVE-2025-66225 |
2025-12-04 03:00:02 | 2026-01-12 02:28:03 |
版本与语言
安全公告
变更历史
查看详细变更
- affected_products_count: 1 -> 2
- data_sources: ['cve'] -> ['cve', 'nvd']