78 matches found
CVE-2024-46073
CVE-2024-46073 describes a reflected Cross‑Site Scripting (XSS) in IceHRM v32.4.0.OS login page. The root cause is improper sanitization of the user-controlled yet echoed “next” parameter, which is included in the response without proper escaping. This enables an attacker to lure a user to a craf...
CVE-2023-6282
IceHrm 23.0.0.OS does not sufficiently encode user-controlled input, which creates a Cross-Site Scripting XSS vulnerability via /icehrm/app/fileuploadpage.php, in multiple parameters. An attacker could exploit this vulnerability by sending a specially crafted JavaScript payload and partially...
Cross site scripting
IceHrm 23.0.0.OS does not sufficiently encode user-controlled input, which creates a Cross-Site Scripting XSS vulnerability via /icehrm/app/fileuploadpage.php, in multiple parameters. An attacker could exploit this vulnerability by sending a specially crafted JavaScript payload and partially...
CVE-2023-6282 Cross-Site Scripting vulnerability in IceHrm
IceHrm 23.0.0.OS does not sufficiently encode user-controlled input, which creates a Cross-Site Scripting XSS vulnerability via /icehrm/app/fileuploadpage.php, in multiple parameters. An attacker could exploit this vulnerability by sending a specially crafted JavaScript payload and partially...
CVE-2023-6282
IceHrm 23.0.0.OS contains an XSS vulnerability in /icehrm/app/fileupload_page.php caused by insufficient encoding of user-controlled input across multiple parameters. An attacker could deliver a crafted JavaScript payload to partially hijack a victim’s browser. Exploitation details are not provid...
CVE-2023-6282 Cross-Site Scripting vulnerability in IceHrm
IceHrm 23.0.0.OS does not sufficiently encode user-controlled input, which creates a Cross-Site Scripting XSS vulnerability via /icehrm/app/fileuploadpage.php, in multiple parameters. An attacker could exploit this vulnerability by sending a specially crafted JavaScript payload and partially...
CVE-2023-6282 Cross-Site Scripting vulnerability in IceHrm
IceHrm 23.0.0.OS does not sufficiently encode user-controlled input, which creates a Cross-Site Scripting XSS vulnerability via /icehrm/app/fileuploadpage.php, in multiple parameters. An attacker could exploit this vulnerability by sending a specially crafted JavaScript payload and partially...
IceHrm Cross-Site Scripting Vulnerability
IceHrm is a human resource management Hrm system. The system includes features such as employee management, vacation management, and payroll management. A cross-site scripting vulnerability exists in IceHrm version 23.0.0.OS, which stems from insufficiently coded user-controlled input that can le...
PT-2024-14924 · Ice Hrm · Ice Hrm
Name of the Vulnerable Software and Affected Versions: IceHrm version 23.0.0.OS Description: The issue arises from insufficient encoding of user-controlled input, leading to a Cross-Site Scripting XSS vulnerability. This vulnerability can be exploited via the /icehrm/app/fileupload page.php...
CVE-2022-26588
A Cross-Site Request Forgery CSRF in IceHrm 31.0.0.OS allows attackers to delete arbitrary users or achieve account takeover via the app/service.php URI...
CVE-2022-26588
A Cross-Site Request Forgery CSRF in IceHrm 31.0.0.OS allows attackers to delete arbitrary users or achieve account takeover via the app/service.php URI...
Cross site request forgery (csrf)
A Cross-Site Request Forgery CSRF in IceHrm 31.0.0.OS allows attackers to delete arbitrary users or achieve account takeover via the app/service.php URI...
CVE-2022-26588
IceHrm 31.0.0.OS is affected by a CSRF vulnerability where the app/service.php endpoint lacks CSRF token validation. This allows an attacker to delete arbitrary users or achieve account takeover via the affected interface. Public sources (e.g., PacketStorm, Exploit-DB) describe an exploit path an...
CVE-2022-26588
A Cross-Site Request Forgery CSRF in IceHrm 31.0.0.OS allows attackers to delete arbitrary users or achieve account takeover via the app/service.php URI...
CVE-2022-26588
A Cross-Site Request Forgery CSRF in IceHrm 31.0.0.OS allows attackers to delete arbitrary users or achieve account takeover via the app/service.php URI...
ICEHRM 31.0.0.0S - Cross-site Request Forgery (CSRF) to Account Deletion Vulnerability
Exploit Title: ICEHRM 31.0.0.0S - Cross-site Request Forgery CSRF to Account Deletion Exploit Author: Devansh Bordia Vendor Homepage: https://icehrm.com/ Software Link: https://github.com/gamonoid/icehrm/releases/tag/v31.0.0.OS Version: 31.0.0.OS Tested on: Windows 10 CVE: CVE-2022-26588 1. About...
IceHrm 跨站请求伪造漏洞
IceHrm is a human resource management Hrm system. The system includes features such as employee management, leave management and payroll management. A security vulnerability exists in IceHrm version 31.0.0.0S, which stems from the lack of token validation in the software for cross-site request...
ICEHRM 31.0.0.0S Cross Site Request Forgery
Exploit Title: ICEHRM 31.0.0.0S - Cross-site Request Forgery CSRF to Account Deletion Date: 29/03/2022 Exploit Author: Devansh Bordia Vendor Homepage: https://icehrm.com/ Software Link: https://github.com/gamonoid/icehrm/releases/tag/v31.0.0.OS Version: 31.0.0.OS Tested on: Windows 10 CVE:...
ICEHRM 31.0.0.0S - Cross-site Request Forgery (CSRF) to Account Deletion
Exploit Title: ICEHRM 31.0.0.0S - Cross-site Request Forgery CSRF to Account Deletion Date: 29/03/2022 Exploit Author: Devansh Bordia Vendor Homepage: https://icehrm.com/ Software Link: https://github.com/gamonoid/icehrm/releases/tag/v31.0.0.OS Version: 31.0.0.OS Tested on: Windows 10 CVE:...
ICEHRM 31.0.0.0S - Cross-site Request Forgery to Account Takeover Vulnerability
Exploit Title: ICEHRM 31.0.0.0S - Cross-site Request Forgery CSRF to Account Takeover Exploit Author: Devansh Bordia Vendor Homepage: https://icehrm.com/ Software Link: https://github.com/gamonoid/icehrm/releases/tag/v31.0.0.OS Version: 31.0.0.OS Tested on: Windows 10 1. About - ICEHRM IceHrm...