CVE-2025-66289
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-66289
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66289.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-66289
- Aliases
-
- GHSA-99qp-xh4q-pr9x
- Published
- 2025-11-29T03:06:25.730Z
- Modified
- 2025-12-05T12:32:27.121139Z
- Severity
-
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- OrangeHRM is Vulnerable to Persistent Session Access Due to Missing Invalidation After User Disable and Password Change
- Details
-
OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application does not invalidate existing sessions when a user is disabled or when a password change occurs, allowing active session cookies to remain valid indefinitely. As a result, a disabled user, or an attacker using a compromised account, can continue to access protected pages and perform operations as long as a prior session remains active. Because the server performs no session revocation or session-store cleanup during these critical state changes, disabling an account or updating credentials has no effect on already-established sessions. This makes administrative disable actions ineffective and allows unauthorized users to retain full access even after an account is closed or a password is reset, exposing the system to prolonged unauthorized use and significantly increasing the impact of account takeover scenarios. This issue has been patched in version 5.8.
- Database specific
{ "cwe_ids": [ "CWE-613" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66289.json" }- References