Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
11 vulnerabilities by learningdigital
CVE-2025-1389 (GCVE-0-2025-1389)
Vulnerability from cvelistv5 – Published: 2025-02-17 04:15 – Updated: 2025-02-18 15:32
VLAI
Title
Learning Digital Orca HCM - SQL Injection
Summary
Orca HCM from Learning Digital has a SQL Injection vulnerability, allowing attackers with regular privileges to inject arbitrary SQL commands to read, modify, and delete database contents.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/en/cp-139-8432-4b516-2.html | third-party-advisory |
| https://www.twcert.org.tw/tw/cp-132-8431-61e42-1.html | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Learning Digital | Orca HCM |
Affected:
0 , < 11.0
(custom)
|
Date Public
2025-02-17 04:10
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1389",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T15:32:29.843720Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T15:32:37.068Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Orca HCM",
"vendor": "Learning Digital",
"versions": [
{
"lessThan": "11.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-02-17T04:10:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Orca HCM from Learning Digital has a SQL Injection vulnerability, allowing attackers with regular privileges to inject arbitrary SQL commands to read, modify, and delete database contents."
}
],
"value": "Orca HCM from Learning Digital has a SQL Injection vulnerability, allowing attackers with regular privileges to inject arbitrary SQL commands to read, modify, and delete database contents."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-17T04:15:08.540Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/en/cp-139-8432-4b516-2.html"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/tw/cp-132-8431-61e42-1.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "For standard user, please update to version 11.0 or later.\u003cbr\u003eFor customized user, please contact the vendor for updates.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "For standard user, please update to version 11.0 or later.\nFor customized user, please contact the vendor for updates."
}
],
"source": {
"advisory": "TVN-202502006",
"discovery": "EXTERNAL"
},
"title": "Learning Digital Orca HCM - SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2025-1389",
"datePublished": "2025-02-17T04:15:08.540Z",
"dateReserved": "2025-02-17T03:31:39.867Z",
"dateUpdated": "2025-02-18T15:32:37.068Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-1388 (GCVE-0-2025-1388)
Vulnerability from cvelistv5 – Published: 2025-02-17 03:59 – Updated: 2025-02-18 15:51
VLAI
Title
Learning Digital Orca HCM - Arbitrary File Upload
Summary
Orca HCM from LEARNING DIGITAL has an Arbitrary File Upload vulnerability, allowing remote attackers with regular privileges to upload and run web shells
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-8429-07d7e-1.html | third-party-advisory |
| https://www.twcert.org.tw/en/cp-139-8430-32513-2.html | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Learning Digital | Orca HCM |
Affected:
0 , < 11.0
(custom)
|
Date Public
2025-02-17 03:56
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1388",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T15:51:37.310103Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T15:51:46.400Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Orca HCM",
"vendor": "Learning Digital",
"versions": [
{
"lessThan": "11.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-02-17T03:56:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Orca HCM from LEARNING DIGITAL has an Arbitrary File Upload vulnerability, allowing remote attackers with regular privileges to upload and run web shells"
}
],
"value": "Orca HCM from LEARNING DIGITAL has an Arbitrary File Upload vulnerability, allowing remote attackers with regular privileges to upload and run web shells"
}
],
"impacts": [
{
"capecId": "CAPEC-650",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-650 Upload a Web Shell to a Web Server"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-17T03:59:13.674Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/tw/cp-132-8429-07d7e-1.html"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/en/cp-139-8430-32513-2.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "For standard user, please update to version 11.0 or later.\u003cbr\u003eFor customized user, please contact the vendor for updates.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "For standard user, please update to version 11.0 or later.\nFor customized user, please contact the vendor for updates."
}
],
"source": {
"advisory": "TVN-202502005",
"discovery": "EXTERNAL"
},
"title": "Learning Digital Orca HCM - Arbitrary File Upload",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2025-1388",
"datePublished": "2025-02-17T03:59:13.674Z",
"dateReserved": "2025-02-17T03:31:38.679Z",
"dateUpdated": "2025-02-18T15:51:46.400Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-1387 (GCVE-0-2025-1387)
Vulnerability from cvelistv5 – Published: 2025-02-17 03:40 – Updated: 2025-02-18 15:52
VLAI
Title
Learning Digital Orca HCM - Improper Authentication
Summary
Orca HCM from LEARNING DIGITAL has an Improper Authentication vulnerability, allowing unauthenticated remote attackers to log in to the system as any user.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-1390 - Weak Authentication
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-8427-daea8-1.html | third-party-advisory |
| https://www.twcert.org.tw/en/cp-139-8428-59a9a-2.html | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Learning Digital | Orca HCM |
Affected:
0 , < 11.0
(custom)
|
Date Public
2025-02-17 03:38
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1387",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T15:52:12.923905Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T15:52:30.937Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Orca HCM",
"vendor": "Learning Digital",
"versions": [
{
"lessThan": "11.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-02-17T03:38:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Orca HCM from LEARNING DIGITAL has an Improper Authentication vulnerability, allowing unauthenticated remote attackers to log in to the system as any user."
}
],
"value": "Orca HCM from LEARNING DIGITAL has an Improper Authentication vulnerability, allowing unauthenticated remote attackers to log in to the system as any user."
}
],
"impacts": [
{
"capecId": "CAPEC-633",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-633 Token Impersonation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1390",
"description": "CWE-1390 Weak Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-17T03:40:45.783Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/tw/cp-132-8427-daea8-1.html"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/en/cp-139-8428-59a9a-2.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "For standard user, please update to version 11.0 or later.\u003cbr\u003eFor customized user, please contact the vendor for updates\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "For standard user, please update to version 11.0 or later.\nFor customized user, please contact the vendor for updates"
}
],
"source": {
"advisory": "TVN-2020502004",
"discovery": "UNKNOWN"
},
"title": "Learning Digital Orca HCM - Improper Authentication",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2025-1387",
"datePublished": "2025-02-17T03:40:45.783Z",
"dateReserved": "2025-02-17T03:31:37.276Z",
"dateUpdated": "2025-02-18T15:52:30.937Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8585 (GCVE-0-2024-8585)
Vulnerability from cvelistv5 – Published: 2024-09-09 03:03 – Updated: 2024-09-09 13:37
VLAI
Title
LEARNING DIGITAL Orca HCM - Arbitrary File Download
Summary
Orca HCM from LEARNING DIGITA does not properly restrict a specific parameter of the file download functionality, allowing a remote attacker with regular privileges to download arbitrary system files.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-8041-dfbf9-1.html | third-party-advisory |
| https://www.twcert.org.tw/en/cp-139-8042-f9f26-2.html | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| LEARNING DIGITAL | Orca HCM |
Affected:
0 , < 11.0
(custom)
|
Date Public
2024-09-09 03:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8585",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-09T13:23:14.343713Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-09T13:37:02.827Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Orca HCM",
"vendor": "LEARNING DIGITAL",
"versions": [
{
"lessThan": "11.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2024-09-09T03:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eOrca HCM from LEARNING DIGITA does not properly restrict a specific parameter of the file download functionality, allowing a remote attacker with regular privileges to download arbitrary system files.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e"
}
],
"value": "Orca HCM from LEARNING DIGITA does not properly restrict a specific parameter of the file download functionality, allowing a remote attacker with regular privileges to download arbitrary system files."
}
],
"impacts": [
{
"capecId": "CAPEC-597",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-597 Absolute Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-09T03:03:59.133Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/tw/cp-132-8041-dfbf9-1.html"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/en/cp-139-8042-f9f26-2.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u0026nbsp; Update to version 11.0 or later."
}
],
"value": "Update to version 11.0 or later."
}
],
"source": {
"advisory": "TVN-202409002",
"discovery": "EXTERNAL"
},
"title": "LEARNING DIGITAL Orca HCM - Arbitrary File Download",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2024-8585",
"datePublished": "2024-09-09T03:03:59.133Z",
"dateReserved": "2024-09-09T02:28:10.418Z",
"dateUpdated": "2024-09-09T13:37:02.827Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8584 (GCVE-0-2024-8584)
Vulnerability from cvelistv5 – Published: 2024-09-09 02:57 – Updated: 2025-02-21 16:54
VLAI
Title
LEARNING DIGITAL Orca HCM - Missing Authentication
Summary
Orca HCM from LEARNING DIGITAL has an Missing Authentication vulnerability, allowing unauthenticated remote attacker to exploit this functionality to create an account with administrator privilege and subsequently use it to log in.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-8039-24e48-1.html | third-party-advisory |
| https://www.twcert.org.tw/en/cp-139-8040-948ef-2.html | third-party-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| LEARNING DIGITAL | Orca HCM |
Affected:
0 , < 11.0
(custom)
|
|
| learningdigital | orca_hcm |
Affected:
0 , < 11.0
(custom)
cpe:2.3:a:learningdigital:orca_hcm:*:*:*:*:*:*:*:* |
Date Public
2024-09-09 02:55
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:learningdigital:orca_hcm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "orca_hcm",
"vendor": "learningdigital",
"versions": [
{
"lessThan": "11.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8584",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-09T13:38:38.578462Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-21T16:54:03.087Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Orca HCM",
"vendor": "LEARNING DIGITAL",
"versions": [
{
"lessThan": "11.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2024-09-09T02:55:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eOrca HCM from LEARNING DIGITAL has an Missing Authentication vulnerability, allowing unauthenticated remote attacker to exploit this functionality to create an account with administrator privilege and subsequently use it to log in.\u003c/span\u003e"
}
],
"value": "Orca HCM from LEARNING DIGITAL has an Missing Authentication vulnerability, allowing unauthenticated remote attacker to exploit this functionality to create an account with administrator privilege and subsequently use it to log in."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-17T03:24:53.774Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/tw/cp-132-8039-24e48-1.html"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/en/cp-139-8040-948ef-2.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u0026nbsp; Update to version 11.0 or later"
}
],
"value": "Update to version 11.0 or later"
}
],
"source": {
"advisory": "TVN-202409001",
"discovery": "EXTERNAL"
},
"title": "LEARNING DIGITAL Orca HCM - Missing Authentication",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2024-8584",
"datePublished": "2024-09-09T02:57:22.560Z",
"dateReserved": "2024-09-09T02:28:07.857Z",
"dateUpdated": "2025-02-21T16:54:03.087Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-35968 (GCVE-0-2021-35968)
Vulnerability from cvelistv5 – Published: 2021-07-19 11:55 – Updated: 2024-09-17 01:01
VLAI
Title
Learningdigital.com, Inc. Orca HCM - Path Traversal-2
Summary
The directory list page parameter of the Orca HCM digital learning platform fails to filter special characters properly. Remote attackers can access the system directory thru Path Traversal with users’ privileges.
Severity
4.3 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.chtsecurity.com/news/ba7b3ae7-14f3-49… | x_refsource_MISC |
| https://www.twcert.org.tw/tw/cp-132-4928-7e87b-1.html | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Learningdigital.com, Inc. | Orca HCM |
Affected:
unspecified , ≤ 10.0
(custom)
|
Date Public
2021-07-19 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:42.584Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.chtsecurity.com/news/ba7b3ae7-14f3-4970-b3f6-4d97d8c7ea25"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4928-7e87b-1.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Orca HCM",
"vendor": "Learningdigital.com, Inc.",
"versions": [
{
"lessThanOrEqual": "10.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-07-19T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The directory list page parameter of the Orca HCM digital learning platform fails to filter special characters properly. Remote attackers can access the system directory thru Path Traversal with users\u2019 privileges."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-19T11:55:47.000Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.chtsecurity.com/news/ba7b3ae7-14f3-4970-b3f6-4d97d8c7ea25"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4928-7e87b-1.html"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Orca HCM to version 10.9"
}
],
"source": {
"advisory": "TVN-202107009",
"discovery": "EXTERNAL"
},
"title": "Learningdigital.com, Inc. Orca HCM - Path Traversal-2",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2021-07-19T11:36:00.000Z",
"ID": "CVE-2021-35968",
"STATE": "PUBLIC",
"TITLE": "Learningdigital.com, Inc. Orca HCM - Path Traversal-2"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Orca HCM",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "10.0"
}
]
}
}
]
},
"vendor_name": "Learningdigital.com, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The directory list page parameter of the Orca HCM digital learning platform fails to filter special characters properly. Remote attackers can access the system directory thru Path Traversal with users\u2019 privileges."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.chtsecurity.com/news/ba7b3ae7-14f3-4970-b3f6-4d97d8c7ea25",
"refsource": "MISC",
"url": "https://www.chtsecurity.com/news/ba7b3ae7-14f3-4970-b3f6-4d97d8c7ea25"
},
{
"name": "https://www.twcert.org.tw/tw/cp-132-4928-7e87b-1.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/tw/cp-132-4928-7e87b-1.html"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update Orca HCM to version 10.9"
}
],
"source": {
"advisory": "TVN-202107009",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2021-35968",
"datePublished": "2021-07-19T11:55:47.851Z",
"dateReserved": "2021-06-30T00:00:00.000Z",
"dateUpdated": "2024-09-17T01:01:11.960Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-35967 (GCVE-0-2021-35967)
Vulnerability from cvelistv5 – Published: 2021-07-19 11:55 – Updated: 2024-09-16 16:27
VLAI
Title
Learningdigital.com, Inc. Orca HCM - Path Traversal-1
Summary
The directory page parameter of the Orca HCM digital learning platform does not filter special characters. Remote attackers can access the system directory thru Path Traversal without logging in.
Severity
5.3 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.chtsecurity.com/news/ba7b3ae7-14f3-49… | x_refsource_MISC |
| https://www.twcert.org.tw/tw/cp-132-4927-bbf01-1.html | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Learningdigital.com, Inc. | Orca HCM |
Affected:
unspecified , ≤ 10.0
(custom)
|
Date Public
2021-07-19 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:43.011Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.chtsecurity.com/news/ba7b3ae7-14f3-4970-b3f6-4d97d8c7ea25"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4927-bbf01-1.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Orca HCM",
"vendor": "Learningdigital.com, Inc.",
"versions": [
{
"lessThanOrEqual": "10.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-07-19T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The directory page parameter of the Orca HCM digital learning platform does not filter special characters. Remote attackers can access the system directory thru Path Traversal without logging in."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-19T11:55:45.000Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.chtsecurity.com/news/ba7b3ae7-14f3-4970-b3f6-4d97d8c7ea25"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4927-bbf01-1.html"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Orca HCM to version 10.9"
}
],
"source": {
"advisory": "TVN-202107008",
"discovery": "EXTERNAL"
},
"title": "Learningdigital.com, Inc. Orca HCM - Path Traversal-1",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2021-07-19T11:36:00.000Z",
"ID": "CVE-2021-35967",
"STATE": "PUBLIC",
"TITLE": "Learningdigital.com, Inc. Orca HCM - Path Traversal-1"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Orca HCM",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "10.0"
}
]
}
}
]
},
"vendor_name": "Learningdigital.com, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The directory page parameter of the Orca HCM digital learning platform does not filter special characters. Remote attackers can access the system directory thru Path Traversal without logging in."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.chtsecurity.com/news/ba7b3ae7-14f3-4970-b3f6-4d97d8c7ea25",
"refsource": "MISC",
"url": "https://www.chtsecurity.com/news/ba7b3ae7-14f3-4970-b3f6-4d97d8c7ea25"
},
{
"name": "https://www.twcert.org.tw/tw/cp-132-4927-bbf01-1.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/tw/cp-132-4927-bbf01-1.html"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update Orca HCM to version 10.9"
}
],
"source": {
"advisory": "TVN-202107008",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2021-35967",
"datePublished": "2021-07-19T11:55:45.090Z",
"dateReserved": "2021-06-30T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:27:48.675Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-35966 (GCVE-0-2021-35966)
Vulnerability from cvelistv5 – Published: 2021-07-19 11:55 – Updated: 2024-09-16 17:54
VLAI
Title
Learningdigital.com, Inc. Orca HCM - URL Redirection to Untrusted Site ('Open Redirect')
Summary
The specific function of the Orca HCM digital learning platform does not filter input parameters properly, which causing the URL can be redirected to any website. Remote attackers can use the vulnerability to execute phishing attacks.
Severity
6.1 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.chtsecurity.com/news/ba7b3ae7-14f3-49… | x_refsource_MISC |
| https://www.twcert.org.tw/tw/cp-132-4926-dc06b-1.html | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Learningdigital.com, Inc. | Orca HCM |
Affected:
unspecified , ≤ 10.0
(custom)
|
Date Public
2021-07-19 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:43.158Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.chtsecurity.com/news/ba7b3ae7-14f3-4970-b3f6-4d97d8c7ea25"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4926-dc06b-1.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Orca HCM",
"vendor": "Learningdigital.com, Inc.",
"versions": [
{
"lessThanOrEqual": "10.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-07-19T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The specific function of the Orca HCM digital learning platform does not filter input parameters properly, which causing the URL can be redirected to any website. Remote attackers can use the vulnerability to execute phishing attacks."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-19T11:55:43.000Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.chtsecurity.com/news/ba7b3ae7-14f3-4970-b3f6-4d97d8c7ea25"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4926-dc06b-1.html"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Orca HCM to version 10.9"
}
],
"source": {
"advisory": "TVN-202107007",
"discovery": "EXTERNAL"
},
"title": "Learningdigital.com, Inc. Orca HCM - URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2021-07-19T11:36:00.000Z",
"ID": "CVE-2021-35966",
"STATE": "PUBLIC",
"TITLE": "Learningdigital.com, Inc. Orca HCM - URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Orca HCM",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "10.0"
}
]
}
}
]
},
"vendor_name": "Learningdigital.com, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The specific function of the Orca HCM digital learning platform does not filter input parameters properly, which causing the URL can be redirected to any website. Remote attackers can use the vulnerability to execute phishing attacks."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.chtsecurity.com/news/ba7b3ae7-14f3-4970-b3f6-4d97d8c7ea25",
"refsource": "MISC",
"url": "https://www.chtsecurity.com/news/ba7b3ae7-14f3-4970-b3f6-4d97d8c7ea25"
},
{
"name": "https://www.twcert.org.tw/tw/cp-132-4926-dc06b-1.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/tw/cp-132-4926-dc06b-1.html"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update Orca HCM to version 10.9"
}
],
"source": {
"advisory": "TVN-202107007",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2021-35966",
"datePublished": "2021-07-19T11:55:43.534Z",
"dateReserved": "2021-06-30T00:00:00.000Z",
"dateUpdated": "2024-09-16T17:54:15.142Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-35965 (GCVE-0-2021-35965)
Vulnerability from cvelistv5 – Published: 2021-07-19 11:55 – Updated: 2024-09-17 01:11
VLAI
Title
Learningdigital.com, Inc. Orca HCM - Hard-code password
Summary
The Orca HCM digital learning platform uses a weak factory default administrator password, which is hard-coded in the source code of the webpage in plain text, thus remote attackers can obtain administrator’s privilege without logging in.
Severity
9.8 (Critical)
CWE
- CWE-522 - Insufficiently Protected Credentials
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.chtsecurity.com/news/ba7b3ae7-14f3-49… | x_refsource_MISC |
| https://www.twcert.org.tw/tw/cp-132-4925-86733-1.html | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Learningdigital.com, Inc. | Orca HCM |
Affected:
unspecified , ≤ 10.0
(custom)
|
Date Public
2021-07-19 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:42.570Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.chtsecurity.com/news/ba7b3ae7-14f3-4970-b3f6-4d97d8c7ea25"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4925-86733-1.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Orca HCM",
"vendor": "Learningdigital.com, Inc.",
"versions": [
{
"lessThanOrEqual": "10.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-07-19T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The Orca HCM digital learning platform uses a weak factory default administrator password, which is hard-coded in the source code of the webpage in plain text, thus remote attackers can obtain administrator\u2019s privilege without logging in."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-19T11:55:41.000Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.chtsecurity.com/news/ba7b3ae7-14f3-4970-b3f6-4d97d8c7ea25"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4925-86733-1.html"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Orca HCM to version 10.9"
}
],
"source": {
"advisory": "TVN-202107006",
"discovery": "EXTERNAL"
},
"title": "Learningdigital.com, Inc. Orca HCM - Hard-code password",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2021-07-19T11:36:00.000Z",
"ID": "CVE-2021-35965",
"STATE": "PUBLIC",
"TITLE": "Learningdigital.com, Inc. Orca HCM - Hard-code password"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Orca HCM",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "10.0"
}
]
}
}
]
},
"vendor_name": "Learningdigital.com, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Orca HCM digital learning platform uses a weak factory default administrator password, which is hard-coded in the source code of the webpage in plain text, thus remote attackers can obtain administrator\u2019s privilege without logging in."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-522 Insufficiently Protected Credentials"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.chtsecurity.com/news/ba7b3ae7-14f3-4970-b3f6-4d97d8c7ea25",
"refsource": "MISC",
"url": "https://www.chtsecurity.com/news/ba7b3ae7-14f3-4970-b3f6-4d97d8c7ea25"
},
{
"name": "https://www.twcert.org.tw/tw/cp-132-4925-86733-1.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/tw/cp-132-4925-86733-1.html"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update Orca HCM to version 10.9"
}
],
"source": {
"advisory": "TVN-202107006",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2021-35965",
"datePublished": "2021-07-19T11:55:41.987Z",
"dateReserved": "2021-06-30T00:00:00.000Z",
"dateUpdated": "2024-09-17T01:11:36.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-35964 (GCVE-0-2021-35964)
Vulnerability from cvelistv5 – Published: 2021-07-19 11:55 – Updated: 2024-09-16 23:11
VLAI
Title
Learningdigital.com, Inc. Orca HCM - Broken Authentication
Summary
The management page of the Orca HCM digital learning platform does not perform identity verification, which allows remote attackers to execute the management function without logging in, access members’ information, modify and delete the courses in system, thus causing users fail to access the learning content.
Severity
7.3 (High)
CWE
- CWE-285 - Improper Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.chtsecurity.com/news/ba7b3ae7-14f3-49… | x_refsource_MISC |
| https://www.twcert.org.tw/tw/cp-132-4924-f74d5-1.html | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Learningdigital.com, Inc. | Orca HCM |
Affected:
unspecified , ≤ 10.0
(custom)
|
Date Public
2021-07-19 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:42.626Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.chtsecurity.com/news/ba7b3ae7-14f3-4970-b3f6-4d97d8c7ea25"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4924-f74d5-1.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Orca HCM",
"vendor": "Learningdigital.com, Inc.",
"versions": [
{
"lessThanOrEqual": "10.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-07-19T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The management page of the Orca HCM digital learning platform does not perform identity verification, which allows remote attackers to execute the management function without logging in, access members\u2019 information, modify and delete the courses in system, thus causing users fail to access the learning content."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-19T11:55:40.000Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.chtsecurity.com/news/ba7b3ae7-14f3-4970-b3f6-4d97d8c7ea25"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4924-f74d5-1.html"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Orca HCM to version 10.9"
}
],
"source": {
"advisory": "TVN-202107005",
"discovery": "EXTERNAL"
},
"title": "Learningdigital.com, Inc. Orca HCM - Broken Authentication",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2021-07-19T11:36:00.000Z",
"ID": "CVE-2021-35964",
"STATE": "PUBLIC",
"TITLE": "Learningdigital.com, Inc. Orca HCM - Broken Authentication"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Orca HCM",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "10.0"
}
]
}
}
]
},
"vendor_name": "Learningdigital.com, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The management page of the Orca HCM digital learning platform does not perform identity verification, which allows remote attackers to execute the management function without logging in, access members\u2019 information, modify and delete the courses in system, thus causing users fail to access the learning content."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-285 Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.chtsecurity.com/news/ba7b3ae7-14f3-4970-b3f6-4d97d8c7ea25",
"refsource": "MISC",
"url": "https://www.chtsecurity.com/news/ba7b3ae7-14f3-4970-b3f6-4d97d8c7ea25"
},
{
"name": "https://www.twcert.org.tw/tw/cp-132-4924-f74d5-1.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/tw/cp-132-4924-f74d5-1.html"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update Orca HCM to version 10.9"
}
],
"source": {
"advisory": "TVN-202107005",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2021-35964",
"datePublished": "2021-07-19T11:55:40.300Z",
"dateReserved": "2021-06-30T00:00:00.000Z",
"dateUpdated": "2024-09-16T23:11:42.591Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-35963 (GCVE-0-2021-35963)
Vulnerability from cvelistv5 – Published: 2021-07-19 11:55 – Updated: 2024-09-17 01:41
VLAI
Title
Learningdigital.com, Inc. Orca HCM - Unrestricted Upload of File with Dangerous Type
Summary
The specific parameter of upload function of the Orca HCM digital learning platform does not filter file format, which allows remote unauthenticated attackers to upload files containing malicious script to execute RCE attacks.
Severity
9.8 (Critical)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-4923-d68e6-1.html | x_refsource_MISC |
| https://www.chtsecurity.com/news/ba7b3ae7-14f3-49… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Learningdigital.com, Inc. | Orca HCM |
Affected:
unspecified , ≤ 10.0
(custom)
|
Date Public
2021-07-19 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:43.114Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4923-d68e6-1.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.chtsecurity.com/news/ba7b3ae7-14f3-4970-b3f6-4d97d8c7ea25"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Orca HCM",
"vendor": "Learningdigital.com, Inc.",
"versions": [
{
"lessThanOrEqual": "10.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-07-19T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The specific parameter of upload function of the Orca HCM digital learning platform does not filter file format, which allows remote unauthenticated attackers to upload files containing malicious script to execute RCE attacks."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-19T11:55:37.000Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4923-d68e6-1.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.chtsecurity.com/news/ba7b3ae7-14f3-4970-b3f6-4d97d8c7ea25"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Orca HCM to version 10.9"
}
],
"source": {
"advisory": "TVN-202107004",
"discovery": "EXTERNAL"
},
"title": "Learningdigital.com, Inc. Orca HCM - Unrestricted Upload of File with Dangerous Type",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2021-07-19T11:36:00.000Z",
"ID": "CVE-2021-35963",
"STATE": "PUBLIC",
"TITLE": "Learningdigital.com, Inc. Orca HCM - Unrestricted Upload of File with Dangerous Type"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Orca HCM",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "10.0"
}
]
}
}
]
},
"vendor_name": "Learningdigital.com, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The specific parameter of upload function of the Orca HCM digital learning platform does not filter file format, which allows remote unauthenticated attackers to upload files containing malicious script to execute RCE attacks."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-434 Unrestricted Upload of File with Dangerous Type"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.twcert.org.tw/tw/cp-132-4923-d68e6-1.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/tw/cp-132-4923-d68e6-1.html"
},
{
"name": "https://www.chtsecurity.com/news/ba7b3ae7-14f3-4970-b3f6-4d97d8c7ea25",
"refsource": "MISC",
"url": "https://www.chtsecurity.com/news/ba7b3ae7-14f3-4970-b3f6-4d97d8c7ea25"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update Orca HCM to version 10.9"
}
],
"source": {
"advisory": "TVN-202107004",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2021-35963",
"datePublished": "2021-07-19T11:55:38.082Z",
"dateReserved": "2021-06-30T00:00:00.000Z",
"dateUpdated": "2024-09-17T01:41:56.794Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}