PT-2021-22293 · Ice Hrm · Ice Hrm

Published

2021-10-04

Updated

2021-10-12

CVE-2021-38823

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions IceHrm version 30.0.0 OS

Description The issue is related to session management, where signing out from an admin account does not invalidate an admin session opened in a different browser. This could potentially allow unauthorized access to the admin account.

Recommendations For IceHrm version 30.0.0 OS, as a temporary workaround, consider implementing a mechanism to invalidate all active sessions when an admin account is signed out, or restrict access to sensitive features until a proper fix is available. At the moment, there is no information about a newer version that contains a fix for this issue.

Exploit

Fix

Insufficient Session Expiration

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-613

Related Identifiers

CVE-2021-38823

Affected Products

Ice Hrm

PT-2021-22293 · Ice Hrm · Ice Hrm

CVE-2021-38823

Weakness Enumeration

Related Identifiers

Affected Products

References · 5