CVE-2021-35967
MEDIUMOrca HCM < 10.0 - Unauthenticated Path Traversal via Directory Page Parameter
Title source: llmDescription
The directory page parameter of the Orca HCM digital learning platform does not filter special characters. Remote attackers can access the system directory thru Path Traversal without logging in.
References (2)
Core 2
Core References
Not Applicable x_refsource_misc
https://www.chtsecurity.com/news/ba7b3ae7-14f3-4970-b3f6-4d97d8c7ea25
Third Party Advisory x_refsource_misc
https://www.twcert.org.tw/tw/cp-132-4927-bbf01-1.html
Scores
CVSS v3
5.3
EPSS
0.0132
EPSS Percentile
67.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-22
Status
published
Products (1)
learningdigital/orca_hcm
< 10.0
Published
Jul 19, 2021
Tracked Since
Feb 18, 2026