OrangeHRM Blog
Voice of Free & Open Source HR System

OrangeHRM, more secure than ever

In our endeavor to make OrangeHRM a highly secure enterprise application, we’ll soon be releasing a patch ( for the latest stable version of OrangeHRM, with a few security improvements. We’re thankful to our community and various organizations that continue to test OrangeHRM and bring existing issues to our attention. We’re committed to fix these issues as soon as possible, and continue to improve the level of security in OrangeHRM.

The following bugs have been reported, and our development team is now fixing them:

  • 3003346     Potential SQL injection vulnerability with ess login
  • 3001611     Ess module is vulenerable to xss
  • 3003358     Possible CSRF and PHP code injection
  • 3003361     Not sanitized ajax reponses leads to XSS vulnerability
  • 3000555     Sanitize the input data in jobs.php

We will soon make the fixes available with OrangeHRM

In addition to security testing performed by external organizations, we’ve internally formed a security testing team, who will continue to test each new version of OrangeHRM thoroughly for possible security flaws.

We’ll be posting updates about our progress on this blog.


2 Responses

  1. Himath

    OrangeHRM has been released to SourceForge with the following bug fixes:
    3000555 - sanitize the input data in jobs.php
    3003346 - Potential SQL injection vulnerability with ess login
    3001611 - Ess module is vulenerable to xss

    This is available as a complete release (for new users), as well as, as a patch release (to upgrade from to

  2. Himath

    All remaining security related issues have been fixed in OrangeHRM

    The following list of bugs are fixed:
    3009783 Possible CSRF vulnerability in OrangeHRM
    3009782 Possible PHP code injection in mail configuration
    3003361 Not sanitized ajax responses leads to XSS vulnerability
    3024184 Cannot apply for a vacancy via jobs.php, error in processing
    3023735 Ess generate attendance rpt leads to deprecated function err
    3023651 Cannot update the timesheet with deleted activities
    3022677 Click on save btn in my leave end up with Undefined index
    3022297 Click on list of taken leave will lead to fatal error
    3020707 Cannot add an employee status through Job Titles
    3019986 Admin press back btn in leave list lead to my leave list
    3019981 Admin/supervisor: Assigned leave cannot cancel or reject

Leave a Comment


Copyright © 2018 OrangeHRM Inc All rights reserved. Powered By WordPress