Manisashank

Name of the Vulnerable Software and Affected Versions: IceHRM version 32.4.0.OS Description: A reflected Cross-Site Scripting (XSS) issue exists in the login page due to improper sanitization of the `next` parameter, which is included in the application's response without adequate escaping. This allows an attacker to execute arbitrary JavaScript code in the context of the victim's browser by tricking a user into visiting a specially crafted URL. The issue occurs despite the application having sanitization mechanisms in place. Recommendations: For IceHRM version 32.4.0.OS, as a temporary workaround, consider disabling the login page or restricting access to it until a patch is available. Additionally, avoid using the `next` parameter in the login page until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.