【Vulnerability Alert】Multiple Critical Security Vulnerabilities in LearningDigital Orca HCM
publish date :
2025-02-19
update date :
2025-02-19
Source: Ministry of education information & communication security contingency platform
| Publication Number | TACERT-ANA-2025021703022222 | Publication Time | 2025/02/17 15:57 |
| Incident Type | ANA-Vulnerability Alert | Discovery Time | 2025/02/17 15:57 |
| Impact Level | Medium | ||
| [Subject] 【Vulnerability Alert】Multiple Critical Security Vulnerabilities in LearningDigital Orca HCM |
|||
| [Content] Forwarded from TWCERTCC-200-202502-00000002 [LearningDigital Orca HCM - Missing Authentication] (TVN-202409001, CVE-2024-8584, CVSS: 9.8) LearningDigital Orca HCM has a Missing Authentication vulnerability that allows unauthorized remote attackers to create administrator accounts and log in using those accounts. [LearningDigital Orca HCM - Arbitrary File Upload] (TVN-202502005, CVE-2025-1388, CVSS: 8.8) LearningDigital Orca HCM has an Arbitrary File Upload vulnerability that enables remote attackers with general access privileges to upload and execute web shell scripts. [LearningDigital Orca HCM - SQL Injection] (TVN-202502006, CVE-2025-1389, CVSS: 8.8) LearningDigital Orca HCM has an SQL Injection vulnerability, allowing remote attackers with general access privileges to inject arbitrary SQL commands to read, modify, or delete database content. Information Sharing Level: WHITE (Information content can be publicly disclosed) |
|||
| [Affected Platform] Versions prior to Orca HCM 11.0 |
|||
| [Recommended Actions] Standard users should update to version 11.0 or later. Customized users should contact the vendor to install the security patch. |
|||
| [Reference] 1.LearningDigital Orca HCM - Missing Authentication: https://www.twcert.org.tw/tw/cp-132-8039-24e48-1.html 2.LearningDigital Orca HCM - Arbitrary File Upload: https://www.twcert.org.tw/tw/cp-132-8429-07d7e-1.html 3.LearningDigital Orca HCM - SQL Injection: https://www.twcert.org.tw/tw/cp-132-8431-61e42-1.html |
|||
(This notification is for informational purposes only and does not constitute a cybersecurity incident).
If you have questions or suggestions regarding this notification, please feel free to contact us.
Ministry of education information & communication security contingency platform
Website: https://info.cert.tanet.edu.tw/
Phone: +886-7-5250211
Internet Phone: 98400000
E-Mail: service@cert.tanet.edu.tw
If you have questions or suggestions regarding this notification, please feel free to contact us.
Ministry of education information & communication security contingency platform
Website: https://info.cert.tanet.edu.tw/
Phone: +886-7-5250211
Internet Phone: 98400000
E-Mail: service@cert.tanet.edu.tw
Organizer:
Computer Center
