This vulnerability was reported to the maintainers on Nov 23rd, 2021, and there has been no response yet. So, I infer it makes sense to publish it publicly here for the good sake of everyone who is using this software actively.
Description
The input sent to GET parameter m gets reflected in a script generated in the page, and isn't sanitized properly, leading to a Reflected XSS vulnerability.
You can try adding the payload ';alert(document.cookie);// into the URL bar for m parameter, in any of the pages in IceHRM post login to see this in action.
The server is taking in the content of parameter 'm', and generates the following script in the response enclosed within <script> tags :
A malicious actor can craft a link that - when clicked by any user logged in (admin or normal user) - can cause a Reflected XSS attack. This could lead to the leak of session credentials.
cooliscool
changed the title
Reflected XSS vulnerability in dashboard of logged-in user
Reflected XSS vulnerability in the Dashboard page of logged-in user
Feb 8, 2022
Important note :
This vulnerability was reported to the maintainers on Nov 23rd, 2021, and there has been no response yet. So, I infer it makes sense to publish it publicly here for the good sake of everyone who is using this software actively.
Description
The input sent to GET parameter
mgets reflected in a script generated in the page, and isn't sanitized properly, leading to a Reflected XSS vulnerability.You can try adding the payload
';alert(document.cookie);//into the URL bar formparameter, in any of the pages in IceHRM post login to see this in action.The server is taking in the content of parameter 'm', and generates the following script in the response enclosed within
<script>tags :The
refIdparameter has the value passed in throughm, which is unsanitized & gets reflected in the page.Proof of Concept
login to the demo dashboard at https://icehrmpro.gamonoid.com/
Follow the link : https://icehrmpro.gamonoid.com/?g=admin&n=dashboard&m=admin_Admin%27;alert(document.cookie)//
Impact
A malicious actor can craft a link that - when clicked by any user logged in (admin or normal user) - can cause a Reflected XSS attack. This could lead to the leak of session credentials.
Occurences
icehrm/core/footer.php
Lines 126 to 138 in f44b9ec
The text was updated successfully, but these errors were encountered: