icehrm 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
過去の問題は主に vendor risk csrf and vendor risk sql injection などに関し、一部は vendor impact data exposure を招き、vendor surface production workloads and vendor surface software deployment 関連の場面に影響します。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2023-6282 | IceHrm 23.0.0.OS does not sufficiently encode user-controlled input, which creates a Cross-Site Scripting (XSS) vulnerability via /icehrm/app/fileupload_page.php, in multiple parameters. An attacker could exploit this vulnerability by sending a specially crafted JavaScript payload and partially hijacking the victim's browser. | [email protected] | 5.4 | 0.08% | 2024-01-25 | 2024-11-21 |
| CVE-2022-26588 | A Cross-Site Request Forgery (CSRF) in IceHrm 31.0.0.OS allows attackers to delete arbitrary users or achieve account takeover via the app/service.php URI. | [email protected] | 6.5 | 0.16% | 2022-04-08 | 2024-11-21 |
| CVE-2022-25015 | A stored cross-site scripting (XSS) vulnerability in Ice Hrm 30.0.0.OS allows attackers to steal cookies via a crafted payload inserted into the First Name field. | [email protected] | 5.4 | 0.20% | 2022-02-28 | 2024-11-21 |
| CVE-2022-25014 | Ice Hrm 30.0.0.OS was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the "m" parameter in the Dashboard of the current user. This vulnerability allows attackers to compromise session credentials via user interaction with a crafted link. | [email protected] | 6.1 | 0.33% | 2022-02-28 | 2024-11-21 |
| CVE-2022-25013 | Ice Hrm 30.0.0.OS was discovered to contain multiple reflected cross-site scripting (XSS) vulnerabilities via the "key" and "fm" parameters in the component login.php. | [email protected] | 6.1 | 0.33% | 2022-02-28 | 2024-11-21 |
| CVE-2021-38823 | The IceHrm 30.0.0 OS website was found vulnerable to Session Management Issue. A signout from an admin account does not invalidate an admin session that is opened in a different browser. | [email protected] | 9.8 | 0.38% | 2021-10-04 | 2024-11-21 |
| CVE-2021-38822 | A Stored Cross Site Scripting vulnerability via Malicious File Upload exists in multiple pages of IceHrm 30.0.0.OS that allows for arbitrary execution of JavaScript commands. | [email protected] | 5.4 | 0.33% | 2021-10-04 | 2024-11-21 |
| CVE-2021-35046 | A session fixation vulnerability was discovered in Ice Hrm 29.0.0 OS which allows an attacker to hijack a valid user session via a crafted session cookie. | [email protected] | 6.1 | 0.20% | 2021-06-22 | 2024-11-21 |
| CVE-2021-35045 | Cross site scripting (XSS) vulnerability in Ice Hrm 29.0.0.OS, allows attackers to execute arbitrary code via the parameters to the /app/ endpoint. | [email protected] | 6.1 | 0.40% | 2021-06-22 | 2024-11-21 |
| CVE-2021-34244 | A cross site request forgery (CSRF) vulnerability was discovered in Ice Hrm 29.0.0.OS which allows attackers to create new admin accounts or change users' passwords. | [email protected] | 8.8 | 0.14% | 2021-06-22 | 2024-11-21 |
| CVE-2021-34243 | A stored cross site scripting (XSS) vulnerability was discovered in Ice Hrm 29.0.0.OS which allows attackers to execute arbitrary web scripts or HTML via a crafted file uploaded into the Document Management tab. The exploit is triggered when a user visits the upload location of the crafted file. | [email protected] | 5.4 | 0.18% | 2021-06-22 | 2024-11-21 |
| CVE-2020-6114 | An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability. | [email protected] | 7.2 | 2.21% | 2020-07-10 | 2024-11-21 |
| CVE-2020-9271 | ICE Hrm 26.2.0 is vulnerable to CSRF that leads to user creation via service.php. | [email protected] | 6.5 | 0.16% | 2020-02-18 | 2024-11-21 |
| CVE-2020-9270 | ICE Hrm 26.2.0 is vulnerable to CSRF that leads to password reset via service.php. | [email protected] | 8.8 | 0.18% | 2020-02-18 | 2024-11-21 |
| CVE-2018-12420 | IceHrm before 23.0.1.OS has a risky usage of a hashed password in a request. | [email protected] | 7.5 | 0.15% | 2018-06-14 | 2024-11-21 |