CVE-2011-5258

OrangeHRM < 2.6.11.2 - Cross-Site Scripting via uniqcode, isAdmin, or PATH_INFO

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2011-5258. PoCs published by High-Tech Bridge SA.

AI-analyzed exploit summary The provided code is a writeup describing an XSS vulnerability in OrangeHRM 2.6.11. It includes a proof-of-concept URL demonstrating the vulnerability but does not contain executable exploit code.

Description

Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.6.11.2 allow remote attackers to inject arbitrary web script or HTML via the (1) uniqcode or (2) isAdmin parameter to index.php; or the (3) PATH_INFO to lib/controllers/centralcontroller.php.

Exploits (2)

exploitdb WRITEUP VERIFIED
by High-Tech Bridge SA · textwebappsphp
https://www.exploit-db.com/exploits/36380

The provided code is a writeup describing an XSS vulnerability in OrangeHRM 2.6.11. It includes a proof-of-concept URL demonstrating the vulnerability but does not contain executable exploit code.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: OrangeHRM 2.6.11
No auth needed
Prerequisites: Access to the target application URL
MITRE ATT&CK
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by High-Tech Bridge SA · textwebappsphp
https://www.exploit-db.com/exploits/36379

The provided text describes SQL injection and XSS vulnerabilities in OrangeHRM 2.6.11, including example URLs demonstrating XSS payloads. No actual exploit code is present.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Theoretical
Target: OrangeHRM 2.6.11
No auth needed
Prerequisites: Access to the vulnerable web application
MITRE ATT&CK
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/520684/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/71568
Exploit vdb-entry x_refsource_osvdb
http://osvdb.org/show/osvdb/77417
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/50857
Exploit vdb-entry x_refsource_osvdb
http://osvdb.org/show/osvdb/77416
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/47014

Scores

EPSS 0.0209
EPSS Percentile 79.4%

Details

CWE
CWE-79
Status published
Products (14)
orangehrm/orangehrm 2.6.0
orangehrm/orangehrm 2.6.0.1
orangehrm/orangehrm 2.6.1
orangehrm/orangehrm 2.6.2
orangehrm/orangehrm 2.6.3
orangehrm/orangehrm 2.6.4
orangehrm/orangehrm 2.6.5
orangehrm/orangehrm 2.6.6
orangehrm/orangehrm 2.6.7
orangehrm/orangehrm 2.6.8
... and 4 more
Published Feb 12, 2013
Tracked Since Feb 18, 2026