OrangeHRM Session Management Vulnerability Allowing Unauthorized Access

A vulnerability in OrangeHRM versions 5.0 through 5.7 allows active session cookies to remain valid indefinitely when a user is disabled or when a password is changed. This lack of session invalidation enables a disabled user or an attacker with a compromised account to continue accessing protected pages and performing operations as long as the session remains active. The absence of session revocation or cleanup during these critical state changes renders administrative disable actions ineffective, allowing unauthorized users to maintain full access even after an account is closed or a password is reset. This issue increases the risk and impact of account takeover scenarios.

Impact

Exploitation of this vulnerability allows for prolonged unauthorized access to the application, effectively bypassing account disablement and password change measures. This could lead to unauthorized operations being performed under the guise of a legitimate user, exacerbating the risks associated with account takeover.

Remediation

Users can upgrade to OrangeHRM version 5.8 to address this vulnerability.