CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1389 – Learning Digital Orca HCM - SQL Injection
https://notcve.org/view.php?id=CVE-2025-1389
17 Feb 2025 — Orca HCM from Learning Digital has a SQL Injection vulnerability, allowing attackers with regular privileges to inject arbitrary SQL commands to read, modify, and delete database contents. • https://www.twcert.org.tw/en/cp-139-8432-4b516-2.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1388 – Learning Digital Orca HCM - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-1388
17 Feb 2025 — Orca HCM from LEARNING DIGITAL has an Arbitrary File Upload vulnerability, allowing remote attackers with regular privileges to upload and run web shells • https://www.twcert.org.tw/en/cp-139-8430-32513-2.html • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1387 – Learning Digital Orca HCM - Improper Authentication
https://notcve.org/view.php?id=CVE-2025-1387
17 Feb 2025 — Orca HCM from LEARNING DIGITAL has an Improper Authentication vulnerability, allowing unauthenticated remote attackers to log in to the system as any user. • https://www.twcert.org.tw/en/cp-139-8428-59a9a-2.html • CWE-1390: Weak Authentication •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8585 – LEARNING DIGITAL Orca HCM - Arbitrary File Download
https://notcve.org/view.php?id=CVE-2024-8585
09 Sep 2024 — Orca HCM from LEARNING DIGITA does not properly restrict a specific parameter of the file download functionality, allowing a remote attacker with regular privileges to download arbitrary system files. • https://www.twcert.org.tw/en/cp-139-8042-f9f26-2.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8584 – LEARNING DIGITAL Orca HCM - Missing Authentication
https://notcve.org/view.php?id=CVE-2024-8584
09 Sep 2024 — Orca HCM from LEARNING DIGITAL does not properly restrict access to a specific functionality, allowing unauthenticated remote attacker to exploit this functionality to create an account with administrator privilege and subsequently use it to log in. Orca HCM from LEARNING DIGITAL has an Missing Authentication vulnerability, allowing unauthenticated remote attacker to exploit this functionality to create an account with administrator privilege and subsequently use it to log in. • https://www.twcert.org.tw/en/cp-139-8040-948ef-2.html • CWE-284: Improper Access Control CWE-306: Missing Authentication for Critical Function •