CRITICAL🇵🇱 Wersja polska

CVE-2024-8584

CVSS 9.8v3.1pub. 2024-09-09upd. 2025-02-17

Orca HCM from LEARNING DIGITAL has an Missing Authentication vulnerability, allowing unauthenticated remote attacker to exploit this functionality to create an account with administrator privilege and subsequently use it to log in.

🤖 AI Analysis
How it works

An attacker can invoke the Orca HCM system function responsible for creating user accounts without authentication. The lack of identity verification mechanism on this endpoint allows anyone to remotely register a new account with administrator privilege level. After creating such an account, the attacker can log in to the system and gain full control over the application.

Impact

Attacker gains full administrative access to the HCM system, enabling takeover of employee data, modification of configuration, and potential further actions within the organization's infrastructure.

Mitigation & patch

Apply patches available from the vendor in accordance with references (TWCERT: https://www.twcert.org.tw/en/cp-139-8040-948ef-2.html). Until the update is applied, it is recommended to restrict network access to the Orca HCM system only to trusted networks or IP addresses and monitor logs for suspicious new account registrations.

Who is affected

Orca HCM produced by LEARNING DIGITAL — versions indicated in vendor references (TWCERT)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Learningdigital Orca Hcm

    APP
    Learningdigital
    < 11.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-1387CRITICAL9.8PL ✓ten sam produkt

Orca HCM — Improper Authentication umożliwiające logowanie jako dowolny użytkownik

CVE-2021-35963CRITICAL9.8ten sam produkt

The specific parameter of upload function of the Orca HCM digital learning platform does not filter file forma...

CVE-2021-35965CRITICAL9.8ten sam produkt

The Orca HCM digital learning platform uses a weak factory default administrator password, which is hard-coded...

CVE-2025-1389HIGH8.8ten sam produkt

Orca HCM from Learning Digital has a SQL Injection vulnerability, allowing attackers with regular privileges t...

CVE-2025-1388HIGH8.8ten sam produkt

Orca HCM from LEARNING DIGITAL has an Arbitrary File Upload vulnerability, allowing remote attackers with regu...