CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1389 – Learning Digital Orca HCM - SQL Injection
https://notcve.org/view.php?id=CVE-2025-1389
17 Feb 2025 — Orca HCM from Learning Digital has a SQL Injection vulnerability, allowing attackers with regular privileges to inject arbitrary SQL commands to read, modify, and delete database contents. • https://www.twcert.org.tw/en/cp-139-8432-4b516-2.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1388 – Learning Digital Orca HCM - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-1388
17 Feb 2025 — Orca HCM from LEARNING DIGITAL has an Arbitrary File Upload vulnerability, allowing remote attackers with regular privileges to upload and run web shells • https://www.twcert.org.tw/en/cp-139-8430-32513-2.html • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1387 – Learning Digital Orca HCM - Improper Authentication
https://notcve.org/view.php?id=CVE-2025-1387
17 Feb 2025 — Orca HCM from LEARNING DIGITAL has an Improper Authentication vulnerability, allowing unauthenticated remote attackers to log in to the system as any user. • https://www.twcert.org.tw/en/cp-139-8428-59a9a-2.html • CWE-1390: Weak Authentication •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8585 – LEARNING DIGITAL Orca HCM - Arbitrary File Download
https://notcve.org/view.php?id=CVE-2024-8585
09 Sep 2024 — Orca HCM from LEARNING DIGITA does not properly restrict a specific parameter of the file download functionality, allowing a remote attacker with regular privileges to download arbitrary system files. • https://www.twcert.org.tw/en/cp-139-8042-f9f26-2.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8584 – LEARNING DIGITAL Orca HCM - Missing Authentication
https://notcve.org/view.php?id=CVE-2024-8584
09 Sep 2024 — Orca HCM from LEARNING DIGITAL does not properly restrict access to a specific functionality, allowing unauthenticated remote attacker to exploit this functionality to create an account with administrator privilege and subsequently use it to log in. Orca HCM from LEARNING DIGITAL has an Missing Authentication vulnerability, allowing unauthenticated remote attacker to exploit this functionality to create an account with administrator privilege and subsequently use it to log in. • https://www.twcert.org.tw/en/cp-139-8040-948ef-2.html • CWE-284: Improper Access Control CWE-306: Missing Authentication for Critical Function •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-35968 – Learningdigital.com, Inc. Orca HCM - Path Traversal-2
https://notcve.org/view.php?id=CVE-2021-35968
19 Jul 2021 — The directory list page parameter of the Orca HCM digital learning platform fails to filter special characters properly. Remote attackers can access the system directory thru Path Traversal with users’ privileges. El parámetro directory list page de la plataforma de aprendizaje digital Orca HCM no filtra correctamente los caracteres especiales. Unos atacantes remotos pueden acceder al directorio del sistema a través de Salto de Ruta con privilegios de usuario • https://www.chtsecurity.com/news/ba7b3ae7-14f3-4970-b3f6-4d97d8c7ea25 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-35967 – Learningdigital.com, Inc. Orca HCM - Path Traversal-1
https://notcve.org/view.php?id=CVE-2021-35967
19 Jul 2021 — The directory page parameter of the Orca HCM digital learning platform does not filter special characters. Remote attackers can access the system directory thru Path Traversal without logging in. El parámetro directory page de la plataforma de aprendizaje digital Orca HCM no filtra los caracteres especiales. Unos atacantes remotos pueden acceder al directorio del sistema a través de Salto de Ruta sin iniciar sesión • https://www.chtsecurity.com/news/ba7b3ae7-14f3-4970-b3f6-4d97d8c7ea25 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-35966 – Learningdigital.com, Inc. Orca HCM - URL Redirection to Untrusted Site ('Open Redirect')
https://notcve.org/view.php?id=CVE-2021-35966
19 Jul 2021 — The specific function of the Orca HCM digital learning platform does not filter input parameters properly, which causing the URL can be redirected to any website. Remote attackers can use the vulnerability to execute phishing attacks. La función específica de la plataforma de aprendizaje digital Orca HCM no filtra apropiadamente los parámetros de entrada, causando que la URL pueda ser redirigida a cualquier sitio web. Unos atacantes remotos pueden usar la vulnerabilidad para ejecutar ataques de phishing • https://www.chtsecurity.com/news/ba7b3ae7-14f3-4970-b3f6-4d97d8c7ea25 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0CVE-2021-35965 – Learningdigital.com, Inc. Orca HCM - Hard-code password
https://notcve.org/view.php?id=CVE-2021-35965
19 Jul 2021 — The Orca HCM digital learning platform uses a weak factory default administrator password, which is hard-coded in the source code of the webpage in plain text, thus remote attackers can obtain administrator’s privilege without logging in. La plataforma de aprendizaje digital Orca HCM usa una contraseña de administrador débil por defecto, que está embebida en el código fuente de la página web en texto plano, por lo que atacantes remotos pueden obtener el privilegio de administrador sin iniciar sesión • https://www.chtsecurity.com/news/ba7b3ae7-14f3-4970-b3f6-4d97d8c7ea25 • CWE-522: Insufficiently Protected Credentials CWE-1188: Initialization of a Resource with an Insecure Default •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-35964 – Learningdigital.com, Inc. Orca HCM - Broken Authentication
https://notcve.org/view.php?id=CVE-2021-35964
19 Jul 2021 — The management page of the Orca HCM digital learning platform does not perform identity verification, which allows remote attackers to execute the management function without logging in, access members’ information, modify and delete the courses in system, thus causing users fail to access the learning content. La página de administración de la plataforma de aprendizaje digital Orca HCM no lleva a cabo la verificación de la identidad, lo que permite a atacantes remotos ejecutar la función de administración ... • https://www.chtsecurity.com/news/ba7b3ae7-14f3-4970-b3f6-4d97d8c7ea25 • CWE-285: Improper Authorization CWE-287: Improper Authentication •