Description

OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application does not invalidate existing sessions when a user is disabled or when a password change occurs, allowing active session cookies to remain valid indefinitely. As a result, a disabled user, or an attacker using a compromised account, can continue to access protected pages and perform operations as long as a prior session remains active. Because the server performs no session revocation or session-store cleanup during these critical state changes, disabling an account or updating credentials has no effect on already-established sessions. This makes administrative disable actions ineffective and allows unauthorized users to retain full access even after an account is closed or a password is reset, exposing the system to prolonged unauthorized use and significantly increasing the impact of account takeover scenarios. This issue has been patched in version 5.8.

INFO

Published Date :

2025-11-29T03:06:25.730Z

Last Modified :

2025-12-01T21:05:42.865Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-66289 vulnerability.

Vendors Products
Orangehrm
  • Orangehrm
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-66289.

URL Resource
https://github.com/orangehrm/orangehrm/security/advisories/GHSA-99qp-xh4q-pr9x cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact