I couldn't find any contact information of @gamonoid on their github profile page so creating an issue here.
Description:
IceHRM application is vulnerable to Reflected cross-site Scripting vulnerability. This is due to the application not properly sanitizing the user input in next parameter on the login page.
Steps to reproduce:
Visit the below URL from firefox: https://icehrm.com/app//login.php?next=testingforbugs%22%20accesskey=%22x%22%20onclick%3d%22alert(document.domain)
Once the above page loads click ALT+SHIFT+X (Windows) or CTRL+ALT+X (OS X)
Hi Team,
I couldn't find any contact information of @gamonoid on their github profile page so creating an issue here.
Description: IceHRM application is vulnerable to Reflected cross-site Scripting vulnerability. This is due to the application not properly sanitizing the user input in
nextparameter on the login page.Steps to reproduce:
ALT+SHIFT+X(Windows) orCTRL+ALT+X(OS X)References: https://portswigger.net/research/xss-in-hidden-input-fields
POC: