Icehrm
by gamonoid
Source repositories
CVEs (7)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-46073 | Med | 0.40 | 6.1 | 0.00 | Jan 6, 2025 | A reflected Cross-Site Scripting (XSS) vulnerability exists in the login page of IceHRM v32.4.0.OS. The vulnerability is due to improper sanitization of the "next" parameter, which is included in the application's response without adequate escaping. An attacker can exploit this… | ||
| CVE-2023-6282 | 0.00 | — | 0.00 | Jan 25, 2024 | IceHrm 23.0.0.OS does not sufficiently encode user-controlled input, which creates a Cross-Site Scripting (XSS) vulnerability via /icehrm/app/fileupload_page.php, in multiple parameters. An attacker could exploit this vulnerability by sending a specially crafted JavaScript… | |||
| CVE-2022-26588 | 0.00 | — | 0.01 | Apr 8, 2022 | A Cross-Site Request Forgery (CSRF) in IceHrm 31.0.0.OS allows attackers to delete arbitrary users or achieve account takeover via the app/service.php URI. | |||
| CVE-2022-25013 | 0.00 | — | 0.01 | Feb 28, 2022 | Ice Hrm 30.0.0.OS was discovered to contain multiple reflected cross-site scripting (XSS) vulnerabilities via the "key" and "fm" parameters in the component login.php. | |||
| CVE-2021-38823 | 0.00 | — | 0.01 | Oct 4, 2021 | The IceHrm 30.0.0 OS website was found vulnerable to Session Management Issue. A signout from an admin account does not invalidate an admin session that is opened in a different browser. | |||
| CVE-2020-6114 | 0.00 | — | 0.02 | Jul 10, 2020 | An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to… | |||
| CVE-2018-12420 | Hig | 0.00 | 7.5 | 0.01 | Jun 14, 2018 | IceHrm before 23.0.1.OS has a risky usage of a hashed password in a request. |
- risk 0.40cvss 6.1epss 0.00
A reflected Cross-Site Scripting (XSS) vulnerability exists in the login page of IceHRM v32.4.0.OS. The vulnerability is due to improper sanitization of the "next" parameter, which is included in the application's response without adequate escaping. An attacker can exploit this…
- CVE-2023-6282Jan 25, 2024risk 0.00cvss —epss 0.00
IceHrm 23.0.0.OS does not sufficiently encode user-controlled input, which creates a Cross-Site Scripting (XSS) vulnerability via /icehrm/app/fileupload_page.php, in multiple parameters. An attacker could exploit this vulnerability by sending a specially crafted JavaScript…
- CVE-2022-26588Apr 8, 2022risk 0.00cvss —epss 0.01
A Cross-Site Request Forgery (CSRF) in IceHrm 31.0.0.OS allows attackers to delete arbitrary users or achieve account takeover via the app/service.php URI.
- CVE-2022-25013Feb 28, 2022risk 0.00cvss —epss 0.01
Ice Hrm 30.0.0.OS was discovered to contain multiple reflected cross-site scripting (XSS) vulnerabilities via the "key" and "fm" parameters in the component login.php.
- CVE-2021-38823Oct 4, 2021risk 0.00cvss —epss 0.01
The IceHrm 30.0.0 OS website was found vulnerable to Session Management Issue. A signout from an admin account does not invalidate an admin session that is opened in a different browser.
- CVE-2020-6114Jul 10, 2020risk 0.00cvss —epss 0.02
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to…
- risk 0.00cvss 7.5epss 0.01
IceHrm before 23.0.1.OS has a risky usage of a hashed password in a request.