| CVE-2018-12420 |
|
High |
Jun 14, 2018 |
IceHrm before 23.0.1.OS has a risky usage of a hashed password in a request.
IceHrm before 23.0.1.OS has a risky usage of a hashed password in a request.
less...
|
5.1, 4.2, 4.1, 4.0, 3.2, 3.0.1, v5.3, v5.0, v5.2, 3.0
|
| BDSA-2025-0070 |
|
High |
Jan 07, 2025 |
A reflected Cross-Site Scripting (XSS) vulnerability exists in the login page of IceHRM v32.4.0.OS. The vulnerability is due to improper sanitization o
more...
A reflected Cross-Site Scripting (XSS) vulnerability exists in the login page of IceHRM v32.4.0.OS. The vulnerability is due to improper sanitization of the "next" parameter, which is included in the application's response without adequate escaping. An attacker can exploit this flaw by tricking a user into visiting a specially crafted URL, causing the execution of arbitrary JavaScript code in the context of the victim's browser. The issue occurs even though the application has sanitization mechanisms in place.
**Note: CVE details have been utilized in generating this advisory. The details of the vulnerability have not been independently verified by Black Duck CyRC.**
less...
|
|
| BDSA-2022-0822 |
|
High |
Mar 29, 2022 |
IceHrm contains a cross-site request forgery (CSRF) vulnerability due to lack of security measure or tokens. An attacker could exploit this vulnerabili
more...
IceHrm contains a cross-site request forgery (CSRF) vulnerability due to lack of security measure or tokens. An attacker could exploit this vulnerability by sending a crafted link to another user to execute malicious actions on their behalf.
less...
|
|
| BDSA-2021-4528 |
|
High |
Aug 02, 2022 |
Ice Hrm is vulnerable to reflected cross-site scripting (XSS) due to the missing sanitization of `m` parameter in the Dashboard of the current user. An
more...
Ice Hrm is vulnerable to reflected cross-site scripting (XSS) due to the missing sanitization of `m` parameter in the Dashboard of the current user. An attacker could insert malicious JavaScript in those parameters and have the code executed on other users' browsers once the parameters are displayed. This vulnerability could be used to steal session tokens or execute actions on other users' behalf.
less...
|
|
| BDSA-2021-4527 |
|
High |
Aug 02, 2022 |
Ice Hrm is vulnerable to reflected cross-site scripting (XSS) due to the missing sanitization of `key` and `fm` parameters in the `login.php` component
more...
Ice Hrm is vulnerable to reflected cross-site scripting (XSS) due to the missing sanitization of `key` and `fm` parameters in the `login.php` component. An attacker could insert malicious JavaScript in those parameters and have the code executed on other users' browsers once the parameters are displayed. This vulnerability could be used to steal session tokens or execute actions on other users' behalf.
less...
|
|
| BDSA-2021-4526 |
|
High |
Aug 02, 2022 |
Ice Hrm is vulnerable to stored cross-site scripting (XSS) due to the missing sanitization of users' First Name field. An attacker could insert malicio
more...
Ice Hrm is vulnerable to stored cross-site scripting (XSS) due to the missing sanitization of users' First Name field. An attacker could insert malicious JavaScript as their first name and have the code executed on other users' browsers once they attempt to view the name. This vulnerability could be used to steal session tokens or execute actions on other users' behalf.
less...
|
|
| BDSA-2020-1018 |
|
High |
May 07, 2020 |
IceHrm contains a cross-site request forgery (CSRF) vulnerability in `app/service.php` due to a lack of security measures or CSRF tokens. An attacker c
more...
IceHrm contains a cross-site request forgery (CSRF) vulnerability in `app/service.php` due to a lack of security measures or CSRF tokens. An attacker could exploit this vulnerability by sending a crafted link or malicious web form to an admin user in order to add arbitrary users.
less...
|
|
| BDSA-2020-1003 |
|
High |
May 07, 2020 |
IceHrm contains a cross-site request forgery (CSRF) vulnerability in `app/service.php` due to a lack of CSRF tokens. An attacker could exploit this vul
more...
IceHrm contains a cross-site request forgery (CSRF) vulnerability in `app/service.php` due to a lack of CSRF tokens. An attacker could exploit this vulnerability by sending a crafted link or malicious web form to an admin user in order to execute arbitrary password changes.
less...
|
|
