Filtered by vendor Icehrm
Subscribe
Total
15 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-6282 | 1 Icehrm | 1 Icehrm | 2024-02-28 | N/A | 6.1 MEDIUM |
IceHrm 23.0.0.OS does not sufficiently encode user-controlled input, which creates a Cross-Site Scripting (XSS) vulnerability via /icehrm/app/fileupload_page.php, in multiple parameters. An attacker could exploit this vulnerability by sending a specially crafted JavaScript payload and partially hijacking the victim's browser. | |||||
CVE-2022-26588 | 1 Icehrm | 1 Icehrm | 2024-02-28 | 4.3 MEDIUM | 6.5 MEDIUM |
A Cross-Site Request Forgery (CSRF) in IceHrm 31.0.0.OS allows attackers to delete arbitrary users or achieve account takeover via the app/service.php URI. | |||||
CVE-2022-25014 | 1 Icehrm | 1 Icehrm | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
Ice Hrm 30.0.0.OS was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the "m" parameter in the Dashboard of the current user. This vulnerability allows attackers to compromise session credentials via user interaction with a crafted link. | |||||
CVE-2022-25013 | 1 Icehrm | 1 Icehrm | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
Ice Hrm 30.0.0.OS was discovered to contain multiple reflected cross-site scripting (XSS) vulnerabilities via the "key" and "fm" parameters in the component login.php. | |||||
CVE-2022-25015 | 1 Icehrm | 1 Icehrm | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
A stored cross-site scripting (XSS) vulnerability in Ice Hrm 30.0.0.OS allows attackers to steal cookies via a crafted payload inserted into the First Name field. | |||||
CVE-2021-38823 | 1 Icehrm | 1 Icehrm | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
The IceHrm 30.0.0 OS website was found vulnerable to Session Management Issue. A signout from an admin account does not invalidate an admin session that is opened in a different browser. | |||||
CVE-2021-38822 | 1 Icehrm | 1 Icehrm | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
A Stored Cross Site Scripting vulnerability via Malicious File Upload exists in multiple pages of IceHrm 30.0.0.OS that allows for arbitrary execution of JavaScript commands. | |||||
CVE-2021-35046 | 1 Icehrm | 1 Icehrm | 2024-02-28 | 5.8 MEDIUM | 6.1 MEDIUM |
A session fixation vulnerability was discovered in Ice Hrm 29.0.0 OS which allows an attacker to hijack a valid user session via a crafted session cookie. | |||||
CVE-2021-34243 | 1 Icehrm | 1 Icehrm | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
A stored cross site scripting (XSS) vulnerability was discovered in Ice Hrm 29.0.0.OS which allows attackers to execute arbitrary web scripts or HTML via a crafted file uploaded into the Document Management tab. The exploit is triggered when a user visits the upload location of the crafted file. | |||||
CVE-2021-35045 | 1 Icehrm | 1 Icehrm | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross site scripting (XSS) vulnerability in Ice Hrm 29.0.0.OS, allows attackers to execute arbitrary code via the parameters to the /app/ endpoint. | |||||
CVE-2021-34244 | 1 Icehrm | 1 Icehrm | 2024-02-28 | 6.8 MEDIUM | 8.8 HIGH |
A cross site request forgery (CSRF) vulnerability was discovered in Ice Hrm 29.0.0.OS which allows attackers to create new admin accounts or change users' passwords. | |||||
CVE-2020-6114 | 1 Icehrm | 1 Icehrm | 2024-02-28 | 6.5 MEDIUM | 7.2 HIGH |
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability. | |||||
CVE-2020-9271 | 1 Icehrm | 1 Icehrm | 2024-02-28 | 4.3 MEDIUM | 6.5 MEDIUM |
ICE Hrm 26.2.0 is vulnerable to CSRF that leads to user creation via service.php. | |||||
CVE-2020-9270 | 1 Icehrm | 1 Icehrm | 2024-02-28 | 6.8 MEDIUM | 8.8 HIGH |
ICE Hrm 26.2.0 is vulnerable to CSRF that leads to password reset via service.php. | |||||
CVE-2018-12420 | 1 Icehrm | 1 Icehrm | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
IceHrm before 23.0.1.OS has a risky usage of a hashed password in a request. |