Icehrm

icehrm

Vendor: Icehrm • 15 CVEs

CVEs (15)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-6282 1Icehrm 1Icehrm Nov 21, 2024 Jan 25, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 IceHrm 23.0.0.OS does not sufficiently encode user-controlled input, which creates a Cross-Site Scripting (XSS) vulnerability via /icehrm/app/fileupload_page.php, in multiple parameters. An attacker could exploit this vu...Show more IceHrm 23.0.0.OS does not sufficiently encode user-controlled input, which creates a Cross-Site Scripting (XSS) vulnerability via /icehrm/app/fileupload_page.php, in multiple parameters. An attacker could exploit this vulnerability by sending a specially crafted JavaScript payload and partially hijacking the victim's browser.Show less
CVE-2022-26588 1Icehrm 1Icehrm Nov 21, 2024 Apr 8, 2022 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 A Cross-Site Request Forgery (CSRF) in IceHrm 31.0.0.OS allows attackers to delete arbitrary users or achieve account takeover via the app/service.php URI.
CVE-2022-25015 1Icehrm 1Icehrm Nov 21, 2024 Feb 28, 2022 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 A stored cross-site scripting (XSS) vulnerability in Ice Hrm 30.0.0.OS allows attackers to steal cookies via a crafted payload inserted into the First Name field.
CVE-2022-25014 1Icehrm 1Icehrm Nov 21, 2024 Feb 28, 2022 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Ice Hrm 30.0.0.OS was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the "m" parameter in the Dashboard of the current user. This vulnerability allows attackers to compromise session crede...Show more Ice Hrm 30.0.0.OS was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the "m" parameter in the Dashboard of the current user. This vulnerability allows attackers to compromise session credentials via user interaction with a crafted link.Show less
CVE-2022-25013 1Icehrm 1Icehrm Nov 21, 2024 Feb 28, 2022 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Ice Hrm 30.0.0.OS was discovered to contain multiple reflected cross-site scripting (XSS) vulnerabilities via the "key" and "fm" parameters in the component login.php.
CVE-2021-38823 1Icehrm 1Icehrm Jun 17, 2026 Oct 4, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The IceHrm 30.0.0 OS website was found vulnerable to Session Management Issue. A signout from an admin account does not invalidate an admin session that is opened in a different browser.
CVE-2021-38822 1Icehrm 1Icehrm Jun 17, 2026 Oct 4, 2021 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 A Stored Cross Site Scripting vulnerability via Malicious File Upload exists in multiple pages of IceHrm 30.0.0.OS that allows for arbitrary execution of JavaScript commands.
CVE-2021-35046 1Icehrm 1Icehrm Jun 17, 2026 Jun 22, 2021 N/A· v4 6.1 MEDIUM· v3 5.8 MEDIUM· v2 A session fixation vulnerability was discovered in Ice Hrm 29.0.0 OS which allows an attacker to hijack a valid user session via a crafted session cookie.
CVE-2021-35045 1Icehrm 1Icehrm Jun 17, 2026 Jun 22, 2021 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Cross site scripting (XSS) vulnerability in Ice Hrm 29.0.0.OS, allows attackers to execute arbitrary code via the parameters to the /app/ endpoint.
CVE-2021-34244 1Icehrm 1Icehrm Jun 17, 2026 Jun 22, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A cross site request forgery (CSRF) vulnerability was discovered in Ice Hrm 29.0.0.OS which allows attackers to create new admin accounts or change users' passwords.
CVE-2021-34243 1Icehrm 1Icehrm Jun 17, 2026 Jun 22, 2021 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 A stored cross site scripting (XSS) vulnerability was discovered in Ice Hrm 29.0.0.OS which allows attackers to execute arbitrary web scripts or HTML via a crafted file uploaded into the Document Management tab. The expl...Show more A stored cross site scripting (XSS) vulnerability was discovered in Ice Hrm 29.0.0.OS which allows attackers to execute arbitrary web scripts or HTML via a crafted file uploaded into the Document Management tab. The exploit is triggered when a user visits the upload location of the crafted file.Show less
CVE-2020-6114 1Icehrm 1Icehrm Jun 17, 2026 Jul 10, 2020 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injecti...Show more An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.Show less
CVE-2020-9271 1Icehrm 1Icehrm Jun 17, 2026 Feb 18, 2020 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 ICE Hrm 26.2.0 is vulnerable to CSRF that leads to user creation via service.php.
CVE-2020-9270 1Icehrm 1Icehrm Jun 17, 2026 Feb 18, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 ICE Hrm 26.2.0 is vulnerable to CSRF that leads to password reset via service.php.
CVE-2018-12420 1Icehrm 1Icehrm Nov 21, 2024 Jun 14, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 IceHrm before 23.0.1.OS has a risky usage of a hashed password in a request.