OrangeHRM Improper Authorization Vulnerability in Recruitment Attachment Retrieval

An improper authorization vulnerability has been identified in OrangeHRM versions 5.0 through 5.7. The issue arises in the recruitment attachment retrieval endpoint, which fails to enforce necessary authorization checks before delivering candidate files. This flaw allows any authenticated user, including those with only ESS-level access and no permission to view the Recruitment module, to directly access candidate attachment URLs. When a request is made to the attachment endpoint, the system verifies the session but does not ensure that the user has the required recruitment permissions. Consequently, authenticated users can download CVs and other documents for any candidate by sending direct requests to the endpoint, resulting in unauthorized exposure of sensitive applicant information.

Impact

Exploitation of this vulnerability leads to unauthorized access to candidate attachments, including CVs and other sensitive documents, for any authenticated user.

Remediation

Users can upgrade to OrangeHRM version 5.8 to address this vulnerability.