Orca HCM from LEARNING DIGITAL has an Improper Authentication vulnerability, allowing unauthenticated remote attackers to log in to the system as any user.
The vulnerability results from improper implementation of the authentication mechanism in the Orca HCM application. An attacker, remotely and without possessing any credentials, can bypass the identity verification process and gain access to any user's account in the system. Lack of authorization requirement (CWE-1390) means that the session or identity protection mechanism is fundamentally flawed.
An attacker can take control of any account in the Orca HCM system, including administrator accounts, leading to complete loss of confidentiality, integrity, and availability of HR data processed by the system.
Apply patches available from the vendor according to the references — detailed information available at addresses published by TWCERT: https://www.twcert.org.tw/en/cp-139-8428-59a9a-2.html and https://www.twcert.org.tw/tw/cp-132-8427-daea8-1.html
Orca HCM by Learning Digital — versions indicated in the vendor's references (TWCERT)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLearningdigital Orca Hcm
APPLearningdigital< 11.0
Related vulnerabilities
Orca HCM: brak uwierzytelnienia umożliwia tworzenie kont administratora
The specific parameter of upload function of the Orca HCM digital learning platform does not filter file forma...
The Orca HCM digital learning platform uses a weak factory default administrator password, which is hard-coded...
Orca HCM from Learning Digital has a SQL Injection vulnerability, allowing attackers with regular privileges t...
Orca HCM from LEARNING DIGITAL has an Arbitrary File Upload vulnerability, allowing remote attackers with regu...