Charlesbickel

**Name of the Vulnerable Software and Affected Versions** openBaraza HCM version 3.1.6 **Description** The issue arises from the software's failure to properly neutralize user-controllable input, leading to reflected cross-site scripting (XSS) on multiple pages, including `hr/subscription.jsp`, `hr/application.jsp`, and `hr/index.jsp` (with `view=` and `data=` parameters). This allows for potential malicious script execution. **Recommendations** For openBaraza HCM version 3.1.6, consider disabling access to the affected pages (`hr/subscription.jsp`, `hr/application.jsp`, and `hr/index.jsp`) until a proper fix is available, and restrict the use of the `view` and `data` parameters in the `hr/index.jsp` page to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.