CVE-2020-29437

Published Jan 5, 2021

Last updated a year ago

CVSS high 8.1
SQL injection

Overview

Description
SQL injection in the Buzz module of OrangeHRM through 4.6 allows remote authenticated attackers to execute arbitrary SQL commands via the orangehrmBuzzPlugin/lib/dao/BuzzDao.php loadMorePostsForm[profileUserId] parameter to the buzz/loadMoreProfile endpoint.
Source
cve@mitre.org
NVD status
Modified

Risk scores

CVSS 3.1

Type
Primary
Base score
8.1
Impact score
5.2
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Severity
HIGH

CVSS 2.0

Type
Primary
Base score
5.5
Impact score
4.9
Exploitability score
8
Vector string
AV:N/AC:L/Au:S/C:P/I:N/A:P

Weaknesses

nvd@nist.gov
CWE-89

Social media

Hype score
Not currently trending

Configurations

Related CVEs

  1. Sourcecodester Logistic Hub Parcel's Management System v1.0 is vulnerable to SQL Injection in /manage_parcel_type.php.CVE-2026-26891
  2. Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_supplier.php.CVE-2026-26887
  3. Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_stock.php.CVE-2026-26888
  4. Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_category.php.CVE-2026-26889
  5. sourcecodester Personnel Property Equipment System v1.0 is vulnerable to SQL Injection in /ppes/admin/edit_employee.php.CVE-2026-26700

References

Sources include official advisories and independent security research.