Vulnerabilities > Icehrm > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-01-25 | CVE-2023-6282 | Cross-site Scripting vulnerability in Icehrm 23.0.0.Os IceHrm 23.0.0.OS does not sufficiently encode user-controlled input, which creates a Cross-Site Scripting (XSS) vulnerability via /icehrm/app/fileupload_page.php, in multiple parameters. | 6.1 |
| 2022-04-08 | CVE-2022-26588 | Cross-Site Request Forgery (CSRF) vulnerability in Icehrm 31.0.0.Os A Cross-Site Request Forgery (CSRF) in IceHrm 31.0.0.OS allows attackers to delete arbitrary users or achieve account takeover via the app/service.php URI. | 6.5 |
| 2022-02-28 | CVE-2022-25013 | Cross-site Scripting vulnerability in Icehrm 30.0.0.Os Ice Hrm 30.0.0.OS was discovered to contain multiple reflected cross-site scripting (XSS) vulnerabilities via the "key" and "fm" parameters in the component login.php. | 6.1 |
| 2022-02-28 | CVE-2022-25014 | Cross-site Scripting vulnerability in Icehrm 30.0.0.Os Ice Hrm 30.0.0.OS was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the "m" parameter in the Dashboard of the current user. | 6.1 |
| 2022-02-28 | CVE-2022-25015 | Cross-site Scripting vulnerability in Icehrm 30.0.0.Os A stored cross-site scripting (XSS) vulnerability in Ice Hrm 30.0.0.OS allows attackers to steal cookies via a crafted payload inserted into the First Name field. | 5.4 |
| 2021-10-04 | CVE-2021-38822 | Cross-site Scripting vulnerability in Icehrm 30.0.0.Os A Stored Cross Site Scripting vulnerability via Malicious File Upload exists in multiple pages of IceHrm 30.0.0.OS that allows for arbitrary execution of JavaScript commands. | 5.4 |
| 2021-06-22 | CVE-2021-34243 | Cross-site Scripting vulnerability in Icehrm 29.0.0.Os A stored cross site scripting (XSS) vulnerability was discovered in Ice Hrm 29.0.0.OS which allows attackers to execute arbitrary web scripts or HTML via a crafted file uploaded into the Document Management tab. | 5.4 |
| 2021-06-22 | CVE-2021-35045 | Cross-site Scripting vulnerability in Icehrm 29.0.0.Os Cross site scripting (XSS) vulnerability in Ice Hrm 29.0.0.OS, allows attackers to execute arbitrary code via the parameters to the /app/ endpoint. | 6.1 |
| 2021-06-22 | CVE-2021-35046 | Session Fixation vulnerability in Icehrm 29.0.0.Os A session fixation vulnerability was discovered in Ice Hrm 29.0.0 OS which allows an attacker to hijack a valid user session via a crafted session cookie. | 6.1 |
| 2020-02-18 | CVE-2020-9271 | Cross-Site Request Forgery (CSRF) vulnerability in Icehrm 26.2.0.Os ICE Hrm 26.2.0 is vulnerable to CSRF that leads to user creation via service.php. | 6.5 |