OrangeHRM 2.7.1 Cross Site Scripting

2013.01.11

Credit: Ken

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

OrangeHRM[1] 2.7.1[2] -- the latest stable release as of this writing --
suffers from a persistent XSS in the vacancy name variable. Steps:
 
 
1. Navigate to following URL:
http://[domain]/symfony/web/index.php/recruitment/viewJobVacancy

2. Add or Edit a Vacancy
3. In the Vacancy Name parameter put XSS script
4. Save
5. Navigate back to top Vacancy page (click back button)
6. Witness XSS
 
Screen shots of above exploit steps may be found on my website (for
those who want additional validation):
http://securitymaverick.com/?p=408
 
I contacted OrangeHRM[3] but did not receive a reply.
 
 
Thanks,
Ken


PS -Currently on twitter:
https://twitter.com/infosecmaverick


----------------
[1] http://sourceforge.net/projects/orangehrm/
[2] http://sourceforge.net/projects/orangehrm/files/stable/2.7.1/
[3] http://www.orangehrm.com/

References:

https://twitter.com/infosecmaverick

http://sourceforge.net/projects/orangehrm/

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

OrangeHRM 2.7.1 Cross Site Scripting

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.