CRITICAL🇵🇱 Wersja polska

CVE-2025-1387

CVSS 9.8v3.1pub. 2025-02-17upd. 2025-11-17

Orca HCM from LEARNING DIGITAL has an Improper Authentication vulnerability, allowing unauthenticated remote attackers to log in to the system as any user.

🤖 AI Analysis
How it works

The vulnerability results from improper implementation of the authentication mechanism in the Orca HCM application. An attacker, remotely and without possessing any credentials, can bypass the identity verification process and gain access to any user's account in the system. Lack of authorization requirement (CWE-1390) means that the session or identity protection mechanism is fundamentally flawed.

Impact

An attacker can take control of any account in the Orca HCM system, including administrator accounts, leading to complete loss of confidentiality, integrity, and availability of HR data processed by the system.

Mitigation & patch

Apply patches available from the vendor according to the references — detailed information available at addresses published by TWCERT: https://www.twcert.org.tw/en/cp-139-8428-59a9a-2.html and https://www.twcert.org.tw/tw/cp-132-8427-daea8-1.html

Who is affected

Orca HCM by Learning Digital — versions indicated in the vendor's references (TWCERT)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Learningdigital Orca Hcm

    APP
    Learningdigital
    < 11.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-8584CRITICAL9.8PL ✓ten sam produkt

Orca HCM: brak uwierzytelnienia umożliwia tworzenie kont administratora

CVE-2021-35963CRITICAL9.8ten sam produkt

The specific parameter of upload function of the Orca HCM digital learning platform does not filter file forma...

CVE-2021-35965CRITICAL9.8ten sam produkt

The Orca HCM digital learning platform uses a weak factory default administrator password, which is hard-coded...

CVE-2025-1389HIGH8.8ten sam produkt

Orca HCM from Learning Digital has a SQL Injection vulnerability, allowing attackers with regular privileges t...

CVE-2025-1388HIGH8.8ten sam produkt

Orca HCM from LEARNING DIGITAL has an Arbitrary File Upload vulnerability, allowing remote attackers with regu...