CVE-2024-46073

Name of the Vulnerable Software and Affected Versions: IceHRM version 32.4.0.OS

Description: A reflected Cross-Site Scripting (XSS) issue exists in the login page due to improper sanitization of the next parameter, which is included in the application's response without adequate escaping. This allows an attacker to execute arbitrary JavaScript code in the context of the victim's browser by tricking a user into visiting a specially crafted URL. The issue occurs despite the application having sanitization mechanisms in place.

Recommendations: For IceHRM version 32.4.0.OS, as a temporary workaround, consider disabling the login page or restricting access to it until a patch is available. Additionally, avoid using the next parameter in the login page until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.