Orca HCM from LEARNING DIGITAL has an Missing Authentication vulnerability, allowing unauthenticated remote attacker to exploit this functionality to create an account with administrator privilege and subsequently use it to log in.
An attacker can invoke the Orca HCM system function responsible for creating user accounts without authentication. The lack of identity verification mechanism on this endpoint allows anyone to remotely register a new account with administrator privilege level. After creating such an account, the attacker can log in to the system and gain full control over the application.
Attacker gains full administrative access to the HCM system, enabling takeover of employee data, modification of configuration, and potential further actions within the organization's infrastructure.
Apply patches available from the vendor in accordance with references (TWCERT: https://www.twcert.org.tw/en/cp-139-8040-948ef-2.html). Until the update is applied, it is recommended to restrict network access to the Orca HCM system only to trusted networks or IP addresses and monitor logs for suspicious new account registrations.
Orca HCM produced by LEARNING DIGITAL — versions indicated in vendor references (TWCERT)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLearningdigital Orca Hcm
APPLearningdigital< 11.0
Related vulnerabilities
Orca HCM — Improper Authentication umożliwiające logowanie jako dowolny użytkownik
The specific parameter of upload function of the Orca HCM digital learning platform does not filter file forma...
The Orca HCM digital learning platform uses a weak factory default administrator password, which is hard-coded...
Orca HCM from Learning Digital has a SQL Injection vulnerability, allowing attackers with regular privileges t...
Orca HCM from LEARNING DIGITAL has an Arbitrary File Upload vulnerability, allowing remote attackers with regu...