Gideon Gray

**Name of the Vulnerable Software and Affected Versions** openBaraza HCM version 3.1.6 **Description** The issue arises from the failure to properly neutralize user-controllable input, allowing an unauthenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user. This attack can be launched from several endpoints, including "hr/subscription.jsp", "hr/application.jsp", and "hr/index.jsp" (with view=). **Recommendations** For openBaraza HCM version 3.1.6, consider disabling access to the affected endpoints "hr/subscription.jsp", "hr/application.jsp", and "hr/index.jsp" (with view=) until a patch is available to prevent stored cross-site scripting (XSS) attacks. Restrict input to these endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.