Platform
other
Component
orca-hcm
Fixed in
11.0
CVE-2024-8584 describes a critical Missing Authentication vulnerability affecting Orca HCM, a Human Capital Management (HCM) system from LEARNING DIGITAL. This flaw allows an unauthenticated attacker to bypass authentication controls and create an administrator account. Versions 0 through 11.0 are affected, and a fix is available in version 11.0.
The impact of this vulnerability is severe. An attacker exploiting CVE-2024-8584 can create a new administrator account within the Orca HCM system without any prior authentication. This grants them complete control over the application, including access to sensitive employee data, configuration settings, and potentially other connected systems. Successful exploitation could lead to data breaches, unauthorized modifications to HR processes, and significant disruption to business operations. The lack of authentication makes this vulnerability particularly concerning, as it requires no prior knowledge or access to the system.
CVE-2024-8584 was publicly disclosed on September 9, 2024. The vulnerability's critical severity and ease of exploitation suggest a potential for active exploitation. Currently, no public proof-of-concept (POC) code has been released, but the lack of authentication makes it likely that attackers will develop exploits quickly. Monitor security advisories and threat intelligence feeds for updates.
Exploit Status
EPSS
0.83% (74% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-8584 is to upgrade Orca HCM to version 11.0 or later, which includes the necessary authentication fixes. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as restricting network access to the Orca HCM application and closely monitoring user activity for suspicious behavior. Review and strengthen existing security policies related to user account management and access control. While not a direct fix, these measures can help reduce the potential attack surface.
Update Orca HCM to version 11.0 or higher. This version addresses the missing authentication vulnerability that allows for the creation of administrator-privileged accounts. See the release notes for more details about the update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-8584 is a critical vulnerability in Orca HCM allowing unauthenticated attackers to create administrator accounts. It impacts versions 0–11.0 and carries a CVSS score of 9.8.
If you are using Orca HCM versions 0 through 11.0, you are potentially affected. Verify your version and prioritize upgrading to 11.0 or later.
The recommended fix is to upgrade Orca HCM to version 11.0 or later. If upgrading is not immediately possible, implement temporary access restrictions and monitor user activity.
While no public exploits are currently available, the vulnerability's critical severity and ease of exploitation suggest a high likelihood of active exploitation.
Refer to the LEARNING DIGITAL security advisory for detailed information and updates regarding CVE-2024-8584. Check their official website or security notification channels.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.