CVE-2023-6282

Name of the Vulnerable Software and Affected Versions IceHrm version 23.0.0.OS

Description The issue arises from insufficient encoding of user-controlled input, leading to a Cross-Site Scripting (XSS) vulnerability. This vulnerability can be exploited via the /icehrm/app/fileupload page.php endpoint, specifically in multiple parameters. An attacker could send a specially crafted JavaScript payload to partially hijack the victim's browser.

Recommendations For IceHrm version 23.0.0.OS, as a temporary workaround, consider restricting access to the /icehrm/app/fileupload page.php endpoint until a patch is available. Additionally, avoid using user-controlled input in the affected parameters to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.