CVE-2022-25014: Reflected XSS vulnerability in the Dashboard page of logged-in user · Issue #283 · gamonoid/icehrm

Important note :

This vulnerability was reported to the maintainers on Nov 23rd, 2021, and there has been no response yet. So, I infer it makes sense to publish it publicly here for the good sake of everyone who is using this software actively.

Description

The input sent to GET parameter m gets reflected in a script generated in the page, and isn’t sanitized properly, leading to a Reflected XSS vulnerability.

You can try adding the payload ';alert(document.cookie);// into the URL bar for m parameter, in any of the pages in IceHRM post login to see this in action.

The server is taking in the content of parameter 'm’, and generates the following script in the response enclosed within <script> tags :

$(document).ready(function() { $(“.dataTables_paginate ul”).addClass(“pagination”); var refId = “"; refId = 'admin_Admin’; $("[ref = ‘"+refId+"’] a”).first().click(); });

The refId parameter has the value passed in through m, which is unsanitized & gets reflected in the page.

Proof of Concept

1. login to the demo dashboard at https://icehrmpro.gamonoid.com/

2. Follow the link : https://icehrmpro.gamonoid.com/?g=admin&n=dashboard&m=admin_Admin%27;alert(document.cookie)//

Impact

A malicious actor can craft a link that - when clicked by any user logged in (admin or normal user) - can cause a Reflected XSS attack. This could lead to the leak of session credentials.

Occurences

var refId = "";

<?php if(empty($_REQUEST[‘m’])){?>

<?php if($user->user_level == ‘Admin’){?>

refId = '<?="admin_".str_replace(" ", "_", $adminModules[0][‘name’])?>’;

$("[ref = ‘"+refId+"’] a").first().click();

<?php }else{?>

refId = '<?="module_".str_replace(" ", "_", $userModules[0][‘name’])?>’;

$("[ref = ‘"+refId+"’] a").first().click();

<?php }?>

<?php } else{?>

refId = '<?=$_REQUEST[‘m’]?>’;

$("[ref = ‘"+refId+"’] a").first().click();

<?php }?>