VYPR

icehrm

by IceHrm

CVEs (7)

  • CVE-2021-38823CriOct 4, 2021
    risk 0.64cvss 9.8epss 0.01

    The IceHrm 30.0.0 OS website was found vulnerable to Session Management Issue. A signout from an admin account does not invalidate an admin session that is opened in a different browser.

  • CVE-2022-26588MedApr 8, 2022
    risk 0.42cvss 6.5epss 0.01

    A Cross-Site Request Forgery (CSRF) in IceHrm 31.0.0.OS allows attackers to delete arbitrary users or achieve account takeover via the app/service.php URI.

  • CVE-2024-46073MedJan 6, 2025
    risk 0.40cvss 6.1epss 0.00

    A reflected Cross-Site Scripting (XSS) vulnerability exists in the login page of IceHRM v32.4.0.OS. The vulnerability is due to improper sanitization of the "next" parameter, which is included in the application's response without adequate escaping. An attacker can exploit this…

  • CVE-2022-25014MedFeb 28, 2022
    risk 0.40cvss 6.1epss 0.01

    Ice Hrm 30.0.0.OS was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the "m" parameter in the Dashboard of the current user. This vulnerability allows attackers to compromise session credentials via user interaction with a crafted link.

  • CVE-2022-25013MedFeb 28, 2022
    risk 0.40cvss 6.1epss 0.01

    Ice Hrm 30.0.0.OS was discovered to contain multiple reflected cross-site scripting (XSS) vulnerabilities via the "key" and "fm" parameters in the component login.php.

  • CVE-2023-6282MedJan 25, 2024
    risk 0.35cvss 5.4epss 0.00

    IceHrm 23.0.0.OS does not sufficiently encode user-controlled input, which creates a Cross-Site Scripting (XSS) vulnerability via /icehrm/app/fileupload_page.php, in multiple parameters. An attacker could exploit this vulnerability by sending a specially crafted JavaScript…

  • CVE-2021-38822MedOct 4, 2021
    risk 0.35cvss 5.4epss 0.01

    A Stored Cross Site Scripting vulnerability via Malicious File Upload exists in multiple pages of IceHrm 30.0.0.OS that allows for arbitrary execution of JavaScript commands.