CVE-2025-3706
Description
The eHRMS from 104 Corporation has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in 104 Corporation eHRMS allows unauthenticated attackers to execute arbitrary JavaScript via crafted links, affecting versions up to V202412.
The eHRMS web application from 104 Corporation contains a Reflected Cross-site Scripting (XSS) vulnerability. The flaw arises from insufficient sanitization of user-supplied input, allowing an attacker to inject arbitrary JavaScript code into a response that is immediately reflected back to the user's browser [1][2].
An unauthenticated remote attacker can exploit this vulnerability by crafting a malicious URL and tricking a victim into clicking it (e.g., via phishing). No authentication is required, and the attack requires user interaction, as reflected in the CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) [1][2].
Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to theft of session cookies, defacement, redirection to malicious sites, or other actions performed on behalf of the authenticated user [1][2].
The vulnerability affects eHRMS versions V202412 and earlier. 104 Corporation has released version V202412_Z02 to address the issue. Users are advised to update to this or a later version. For detailed update instructions, contacting 104 is recommended [1][2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.