OrangeHRM 4.10 is vulnerable to a Host header injection redirect via viewPersonalDetails endpoint.
orangehrm orangehrm 4.10