Total
3 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-15130 | 1 Humanica | 1 Humatrix 7 | 2024-02-04 | 10.0 HIGH | 9.8 CRITICAL |
The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681 allows an unauthenticated attacker to upload any file type to a candidate's profile picture folder via a crafted recruitment_online/personalData/act_personaltab.cfm multiple-part POST request with a predictable WRC01_USERID parameter. Moreover, the attacker can upload executable content (e.g., asp or aspx) for executing OS commands on the server. | |||||
CVE-2019-14932 | 1 Humanica | 1 Humatrix 7 | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
The Recruitment module in Humanica Humatrix 7 1.0.0.681 and 1.0.0.203 allows remote attackers to access all candidates' information on the website via a modified selApp variable to personalData/resumeDetail.cfm. This includes personal information and other sensitive data. | |||||
CVE-2019-15129 | 1 Humanica | 1 Humatrix 7 | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681 allows an unauthenticated attacker to access all candidates' files in the photo folder on the website by specifying a "user id" parameter and file name, such as in a recruitment_online/upload/user/[user_id]/photo/[file_name] URI. |