Icehrm
CVE-2018-12420
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
IceHrm before 23.0.1.OS has a risky usage of a hashed password in a request.
AnalysisAI
IceHrm before 23.0.1.OS has a risky usage of a hashed password in a request. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Technical ContextAI
This vulnerability is classified under CWE-327. IceHrm before 23.0.1.OS has a risky usage of a hashed password in a request. Affected products include: Icehrm. Version information: before 23.0.1..
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
The IceHrm 30.0.0 OS website was found vulnerable to Session Management Issue. Rated critical severity (CVSS 9.8), this
A cross site request forgery (CSRF) vulnerability was discovered in Ice Hrm 29.0.0.OS which allows attackers to create n
ICE Hrm 26.2.0 is vulnerable to CSRF that leads to password reset via service.php. Rated high severity (CVSS 8.8), this
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commi
A Cross-Site Request Forgery (CSRF) in IceHrm 31.0.0.OS allows attackers to delete arbitrary users or achieve account ta
ICE Hrm 26.2.0 is vulnerable to CSRF that leads to user creation via service.php. Rated medium severity (CVSS 6.5), this
Ice Hrm 30.0.0.OS was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the "m" parameter i
Ice Hrm 30.0.0.OS was discovered to contain multiple reflected cross-site scripting (XSS) vulnerabilities via the "key"
A session fixation vulnerability was discovered in Ice Hrm 29.0.0 OS which allows an attacker to hijack a valid user ses
Cross site scripting (XSS) vulnerability in Ice Hrm 29.0.0.OS, allows attackers to execute arbitrary code via the parame
A stored cross-site scripting (XSS) vulnerability in Ice Hrm 30.0.0.OS allows attackers to steal cookies via a crafted p
A Stored Cross Site Scripting vulnerability via Malicious File Upload exists in multiple pages of IceHrm 30.0.0.OS that
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today