Closed P0cas closed 1 year ago
<script type="text/javascript"> var key = ""; <?php if (isset($_REQUEST['key'])) {?> key = '<?=$_REQUEST['key']?>'; key = key.replace(/ /g,"+"); <?php }?> </script> <!-- https://github.com/gamonoid/icehrm/blob/master/core/login.php#L213L219 -->
We(@Inweol)discovered the Dom-Based XSS. XSS occur because the server doesn't escape single quote.
Poc : https://icehrm.com/app/<any nickname>/login.php?logout=1&key=pocas%27-alert(document.domain)//
If you go to the as above poc, you can check to occur the xss.
Fixied (d7ff54d)
Description
We(@Inweol)discovered the Dom-Based XSS. XSS occur because the server doesn't escape single quote.
PoC
If you go to the as above poc, you can check to occur the xss.