OrangeHRM 2.7.1 Cross Site Scripting

2013-01-11T00:00:00
ID PACKETSTORM:119461
Type packetstorm
Reporter SBV Research
Modified 2013-01-11T00:00:00

Description

                                        
                                            `OrangeHRM[1] 2.7.1[2] -- the latest stable release as of this writing --  
suffers from a persistent XSS in the vacancy name variable. Steps:  
  
  
1. Navigate to following URL:  
http://[domain]/symfony/web/index.php/recruitment/viewJobVacancy  
  
2. Add or Edit a Vacancy  
3. In the Vacancy Name parameter put XSS script  
4. Save  
5. Navigate back to top Vacancy page (click back button)  
6. Witness XSS  
  
Screen shots of above exploit steps may be found on my website (for  
those who want additional validation):  
http://securitymaverick.com/?p=408  
  
I contacted OrangeHRM[3] but did not receive a reply.  
  
  
Thanks,  
Ken  
  
  
PS -Currently on twitter:  
https://twitter.com/infosecmaverick  
  
  
----------------  
[1] http://sourceforge.net/projects/orangehrm/  
[2] http://sourceforge.net/projects/orangehrm/files/stable/2.7.1/  
[3] http://www.orangehrm.com/  
`