Cooliscool

**Name of the Vulnerable Software and Affected Versions** OrangeHRM version v4.10.1 **Description** A stored cross-site scripting (XSS) issue in the addNewPost component allows attackers to execute arbitrary web scripts or HTML via a crafted POST request to the `/api/v1/addNewPost` endpoint, using vulnerable parameters such as `post content`. This enables attackers to inject malicious scripts, potentially leading to unauthorized access or data theft. No information is provided about the estimated number of potentially affected devices or real-world incidents. **Recommendations** For OrangeHRM version v4.10.1, as a temporary workaround, consider disabling the `addNewPost` component until a patch is available. Restrict access to the vulnerable endpoint to minimize the risk of exploitation. Avoid using the `post content` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Ice Hrm version 30.0.0.OS **Description** The issue is related to multiple reflected cross-site scripting (XSS) vulnerabilities. These vulnerabilities are exploited via the `key` and `fm` parameters in the component login.php. **Recommendations** For Ice Hrm version 30.0.0.OS, avoid using the `key` and `fm` parameters in the login.php component until a fix is available. As a temporary workaround, consider restricting access to the login.php component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Ice Hrm version 30.0.0.OS **Description** A reflected cross-site scripting (XSS) issue was found in the Dashboard of the current user, allowing attackers to compromise session credentials via user interaction with a crafted link. The vulnerability is exploited through the `m` parameter. **Recommendations** For Ice Hrm version 30.0.0.OS, consider restricting access to the Dashboard or disabling the `m` parameter to minimize the risk of exploitation until a patch is available. Avoid using the `m` parameter in the affected Dashboard until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Ice Hrm version 30.0.0.OS **Description** A stored cross-site scripting (XSS) issue allows attackers to steal cookies via a crafted payload inserted into the `First Name` field. This can be exploited to gain unauthorized access to user sessions. **Recommendations** For Ice Hrm version 30.0.0.OS, consider restricting input to the `First Name` field to prevent the insertion of malicious payloads until a patch is available. As a temporary workaround, monitor user sessions closely for signs of unauthorized access. At the moment, there is no information about a newer version that contains a fix for this issue.