OrangeHRM Improper Authorization Vulnerability in Recruitment Module Interview Attachment Retrieval

An improper authorization vulnerability has been identified in OrangeHRM versions 5.0 prior to 5.8. The issue resides in the interview attachment retrieval endpoint of the Recruitment module, which serves files based solely on an authenticated session and user-supplied identifiers. This endpoint fails to verify whether the requester has permission to access the associated interview record. As a result, an ESS-level user without access to recruitment workflows can directly request interview attachment URLs and receive confidential files, including candidate CVs, evaluations, and supporting documents. The vulnerability arises from the server's reliance on predictable object identifiers and session presence, rather than validating the user's association with the relevant recruitment process.

Impact

Exploitation of this vulnerability allows unauthorized users to access confidential interview documents, such as candidate CVs, evaluations, and supporting files.

Remediation

Users can upgrade to OrangeHRM version 5.8 to address this vulnerability.