Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-66289

Good to know:

icon
icon

Date: November 28, 2025

OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application does not invalidate existing sessions when a user is disabled or when a password change occurs, allowing active session cookies to remain valid indefinitely. As a result, a disabled user, or an attacker using a compromised account, can continue to access protected pages and perform operations as long as a prior session remains active. Because the server performs no session revocation or session-store cleanup during these critical state changes, disabling an account or updating credentials has no effect on already-established sessions. This makes administrative disable actions ineffective and allows unauthorized users to retain full access even after an account is closed or a password is reset, exposing the system to prolonged unauthorized use and significantly increasing the impact of account takeover scenarios. This issue has been patched in version 5.8.

Severity Score

Related Resources (3)

https://github.com/orangehrm/orangehrm/security/advisories/GHSA-99qp-xh4q-pr9x
https://nvd.nist.gov/vuln/detail/CVE-2025-66289
https://www.mend.io/vulnerability-database/CVE-2025-66289

Severity Score

Weakness Type (CWE)

Insufficient Session Expiration

CWE-613

Top Fix

icon

Upgrade Version

Upgrade to version https://github.com/orangehrm/orangehrm.git - v5.8

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

Do you need more information?

Contact Us