OrangeHRM version 2.5.0.4 suffers from php code injection, cross site request forgery, cross site scripting and remote SQL injection vulnerabilities.
You can download this advisory from the following link: https://packetstormsecurity.com/files/download/89351/orangehrm-sqlxssxsrf.txt
Source: https://packetstormsecurity.com/files/89351/OrangeHRM-2.5.0.4-Cross-Site-Request-Forgery-Cross-Site-Scripting-SQL-Injection.html