This vulnerability was reported to the maintainers on Nov 23rd, 2021, and there has been no response yet. So, I infer it makes sense to publish it publicly here for the good sake of everyone who is using this software actively.
Description
The input sent to GET parameter m gets reflected in a script generated in the page, and isn't sanitized properly, leading to a Reflected XSS vulnerability.
You can try adding the payload ';alert(document.cookie);// into the URL bar for m parameter, in any of the pages in IceHRM post login to see this in action.
The server is taking in the content of parameter 'm', and generates the following script in the response enclosed within <script> tags :
A malicious actor can craft a link that - when clicked by any user logged in (admin or normal user) - can cause a Reflected XSS attack. This could lead to the leak of session credentials.
Important note :
This vulnerability was reported to the maintainers on Nov 23rd, 2021, and there has been no response yet. So, I infer it makes sense to publish it publicly here for the good sake of everyone who is using this software actively.
Description
The input sent to GET parameter
m
gets reflected in a script generated in the page, and isn't sanitized properly, leading to a Reflected XSS vulnerability.You can try adding the payload
';alert(document.cookie);//
into the URL bar form
parameter, in any of the pages in IceHRM post login to see this in action.The server is taking in the content of parameter 'm', and generates the following script in the response enclosed within
<script>
tags :The
refId
parameter has the value passed in throughm
, which is unsanitized & gets reflected in the page.Proof of Concept
login to the demo dashboard at https://icehrmpro.gamonoid.com/
Follow the link : https://icehrmpro.gamonoid.com/?g=admin&n=dashboard&m=admin_Admin%27;alert(document.cookie)//
Impact
A malicious actor can craft a link that - when clicked by any user logged in (admin or normal user) - can cause a Reflected XSS attack. This could lead to the leak of session credentials.
Occurences
https://github.com/gamonoid/icehrm/blob/f44b9ec8dd60f42c9e94ac78c55d82244b74b4db/core/footer.php#L126-L138