PT-2020-18928 · Glacies · Glacies Icehrm

Yuri Kramarz

Published

2020-07-10

Updated

2022-05-12

CVE-2020-6114

CVSS v3.1

7.2

High

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Glacies IceHRM version 26.6.0.OS

Description A SQL injection issue exists in the Admin Reports functionality. This can be triggered by a specially crafted HTTP request, allowing an attacker to cause SQL injection via an authenticated HTTP request.

Recommendations For Glacies IceHRM version 26.6.0.OS, consider restricting access to the Admin Reports functionality until a fix is available. As a temporary workaround, avoid using the vulnerable functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2020-6114

Affected Products

Glacies Icehrm

PT-2020-18928 · Glacies · Glacies Icehrm

CVE-2020-6114

Weakness Enumeration

Related Identifiers

Affected Products

References · 3